Access Control and the Resource Description Framework: A ...

Semantic Web 0 (2016) 1–42 1IOS Press

Access Control and the Resource DescriptionFramework: A SurveyEditor(s): Bernardo Cuenca Grau, University of Oxford, UKSolicited review(s): Luca Costabello, Fujitsu, Ireland; One anonymous reviewer

Sabrina Kirrane a,∗, Alessandra Mileo b, Stefan Decker ca Vienna University of Business and Economics, AustriaE-mail: [email protected] Insight Centre for Data Analytics, National University of Ireland, Galway, IrelandE-mail: [email protected] RWTH Aachen University, GermanyE-mail: [email protected]

Abstract. In recent years we have seen significant advances in the technology used to both publish and consume structureddata using the existing web infrastructure, commonly referred to as the Linked Data Web. However, in order to support the nextgeneration of e-business applications on top of Linked Data suitable forms of access control need to be put in place. This paperprovides an overview of the various access control models, standards and policy languages, and the different access controlenforcement strategies for the Resource Description Framework (the data model underpinning the Linked Data Web). A setof access control requirements that can be used to categorise existing access control strategies is proposed and a number ofchallenges that still need to be overcome are identified.

Keywords: Access Control, Policies, Linked Data, Semantic Web, Resource Description Framework

1. Introduction

The term Linked Data Web (LDW) is used to de-scribe a World Wide Web where data is directly linkedwith other relevant data using machine-readable for-mats [63,38]. Although the technology underpinningthe LDW has been in existence for a number of years,up until now data publishers have primarily focused onexposing and linking public data. With the advent ofupdate languages for the Resource Description Frame-work (RDF) data model, such as SPARQL 1.1 [101],the LDW has the potential to evolve from a medium forpublishing and linking public data, to a dynamic read-/write distributed data source. Such an infrastructurewill be capable of supporting not only data integrationof public and private data, but also the next generation

*Corresponding author, e-mail: [email protected]

of electronic business applications. However, in orderto make the move from simply linking public data tousing the Linked Data infrastructure as a global datas-pace, suitable security mechanisms need to be put inplace.

Security in general and access control in particular-ity have been extensively studied by both the databaseand the information system communities, among oth-ers. Early work on access control policy specificationand enforcement within the Semantic Web communityfocused on: representing existing access control mod-els and standards using semantic technology; propos-ing new access control models suitable for open, het-erogeneous and distributed environments; and devis-ing languages and frameworks that can be used to fa-cilitate access control specification and maintenance.Later researchers examined access control for the RDFdata model in general and access control propagation,

1570-0844/16/$27.50 c© 2016 – IOS Press and the authors. All rights reserved

2 S. Kirrane et al. / Access Control and the Resource Description Framework

based on the semantic relations between policy enti-ties in particular. In recent years the focus has shiftedto access control policy specification and enforcementover Linked Data. Although few authors have pro-posed access control strategies specifically for LinkedData [77,19,52,86], there is a large body of work ongeneral policies languages and access control strate-gies for the RDF data model that could potentially beapplied to Linked Data. In order to better understandthe potential of existing access control mechanisms,this paper provides an overview of a number of ac-cess control models, standards, languages and frame-works. A set of access control requirements are col-lated from [104,22,102,23,8,73] and categorised ac-cording to four different dimensions (specification, en-forcement, implementation and infrastructure) that arenecessary from an access control perspective. Theserequirements are used not only to classify existing ac-cess control strategies but also to identify challenges,with respect to usability and understandability of ac-cess control policies and both the correctness, perfor-mance and scalability of the enforcement frameworks,that still need to be overcome.

The remainder of the paper is structured as follows:Section 2 presents relevant access control models andstandardisation efforts and discusses how they havebeen applied to, or enhanced, using semantic technol-ogy. Section 3 details several well known policy lan-guages and frameworks that use ontologies, rules ora combination of both to represent policies. Section 4describes the different access control administrationand enforcement strategies that have been proposed forRDF data. Section 5 presents a set of access control re-quirements and categorises existing access control lan-guages and frameworks accordingly. Finally Section 6concludes the paper and presents directions for futurework.

2. Access Control Models and Standards

Generally speaking the term access control is usedto refer to the model, which is the blueprint that is usedto guide the access control process; the policy lan-guage, which defines both the syntax and the semanticsof the access control rules; and the framework, whichis a combination of the access control model, the lan-guage and the enforcement mechanism. At its most ba-sic, an access control rule (otherwise known as an au-thorisation) can be represented as a tuple 〈S,R,AR〉where S denotes the subject (entities requesting access

to resources), R denotes the resource (entities to beprotected) and AR represents the access rights (per-missions and prohibitions often based on actions per-taining to the resource). Sets of access control rulesare collectively referred to as an access control pol-icy. The decision to grant or deny access is based ontwo distinct processes, authentication and authorisa-tion. Authentication involves the verification of cre-dentials (you are who you say you are). Whereas, au-thorisation is the process of granting or denying accessto system resources based on credentials.

This section describes both well known and emerg-ing access control models, and relevant standardisationefforts. In each instance, a description of the accesscontrol model/standard is provided, along with detailsof how the model/standard has been applied to or en-hanced using Semantic Web technologies.

2.1. Access Control Models

Mandatory Access Control (MAC), DiscretionaryAccess Control (DAC) and Role Based Access Control(RBAC) are the most prominent access control mod-els found in the literature, and used in practice. ViewBased Access Control (VBAC) is a complementary ac-cess control model which grants access to sets of en-tities, logically structured as views. More recently re-searchers have proposed new access control models,that are deemed more suitable for the open, heteroge-neous and distributed architecture of the web. Primaryresearch efforts, involve using properties (relating tothe subject, resource or the environment) as opposed toidentities, in order to determine if access to resourcesshould be permitted. Attribute Based Access Control(ABAC) and Context Based Access Control (CBAC)are the predominant works in this area.

In this section we present the vocabularies used tospecify the access control model and provide details ofthe different enforcement mechanisms. A summary ofthe existing proposals is presented in Table 1 and thecore ideas are represented on a timeline in Figure 1.

2.1.1. Mandatory Access ControlMAC limits access to resources using access control

policies determined by a central authority [79]. Thecentral authority is responsible for classifying bothsubjects and resources according to security levels. Re-sources are assigned labels that represent the securitylevel required to access the resource, and only subjectswith the same security level or higher are granted ac-cess. MAC was originally developed for military ap-

S. Kirrane et al. / Access Control and the Resource Description Framework 3

Table 1Access Control Models - Policy Representation and Enforcement

Model Policy Representation Enforcement Mechanism Enforcement FrameworkMAC Kodali et al. [54] MAC concepts and security levels mod-

elled in DAML+OILDL & DQL query based enforce-ment

multiple AC models

Yagüe del Valle et al. [104] subject, resource and policy semanticmetamodels

XML based enforcement attribute based access control

DAC Gabillon and Letouzey [33] user, resources or the environment rule based enforcement delegate ability to execute queriesKirrane et al. [53] GRANT & REVOKE SPARQL queries rule based enforcement DAC requirementsKirrane et al. [52] authorisations with delegator attribute rule based enforcement delegate access using rulesKodali et al. [54] DAC concepts and subjects modelled in

DAML+OILDL & DQL query based enforce-ment

multiple AC models



RBAC Alcaraz Calero et al. [2] roles mapped to CIM and modelled inOWL

DL & rule based enforcement CIM in OWL

Wu et al. [103] roles as classes in OWL - -Ferrini and Bertino [28] roles modelled as XACML policies &

RBAC constraints modelled in OWLXACML and DL based enforce-ment

roles & constraints in OWL

Finin et al. [30] roles as classes in OWL & roles as in-stances in OWL

- -

Kodali et al. [54] RBAC concepts and roles modelled inDAML+OIL

DL & DQL query based enforce-ment

multiple AC models



VBAC Dietzold and Auer [25] triples, classes and properties rule & SPARQL based enforcement SPARQL CONSTRUCT queriesGabillon and Letouzey [33] user, resources or the environment rule & SPARQL based enforcement SPARQL CONSTRUCT and DESCRIBE

queries & named graphsLi and Cheung [57] concepts, relations and filter conditions rule based enforcement data filteringMühleisen et al. [60] triple patterns, resources or instances

policiesrule based enforcement using SWRL rules to generate temporary

named graph

ABAC Cirio et al. [15] ABAC modelled in OWL-DL DL and SPARQL based enforce-ment

OWL design patterns

Priebe et al. [66] - - metadata based access control patternPriebe et al. [67] XACML modelled in OWL XACML based enforcement XACML extended with OWL reasoningStermsek et al. [85] RDF properties used to specify subjects

and objects- policy decision and enforcement points

CBAC Corradi et al. [16]Montanari et al. [59]

context ontology high level policy enforcementmodel

context as a first-class principle

Costabello et al. [17] context specified using name/value pairs Java & SPARQL based enforce-ment

using ASK queries to check policies

Shen and Cheng [83] context and policy ontologies SWRL rule based enforcement -

plications and therefore it is best suited to closed envi-ronments, where a great deal of control is required [6].Given the open, heterogeneous and distributed natureof the web, it is not surprising that MAC has not gainedmuch traction among Semantic Web researchers. Pri-mary research efforts focus on: (i) defining vocabular-ies that can be used to support multiple access con-trol models [54]; and (ii) using attributes to representdifferent credentials (e.g. identities, roles and labels)[104]. A summary of the various policy specificationand enforcement mechanisms are presented below:

Policy Specification. Kodali et al. [54] propose aDAML+OIL1 ontology and demonstrate via exam-ple how it can be used to represent MAC, DAC and

RBAC policies. In the case of MAC both the subjectand resources are assigned security levels. A subject isgranted access a to resource if the their security leveldominates the security level of the resource. One ofthe drawbacks of the approach is that a resource canonly be governed by one access control model (eitherMAC, DAC or RBAC).

An alternative strategy is proposed by Yagüe delValle et al. [104]. Like Kodali et al. [54], the au-thors provide support for multiple access control mod-els, however rather than defining an ontology the au-thors propose an ABAC model and discuss how it canbe used to support not only MAC but also DAC and

1DAML+OIL, http://www.w3.org/TR/daml+oil-reference


Fig. 1. Access Control Models

2002 2004 2006 2008 2010 2012 2014

MAC

DAC

RBAC

VBAC

ABAC

CBAC

multiple AC models

[54]

ABAC[104]

multiple AC models

[54]

ABAC[104]

delegate

ability to execu

te queries[

33]

DAC require

ments[53], dele

gateacc

essusin

g rules[52]

multiple AC models

[54]

ABAC[104]

OWLclasse

s[103]

OWL classe

s & instances

[30]

roles& constra

inst in OWL[28]

CIMin OWL[2]CO

NSTRUCT&DESCRIBE

queries[

25]

datafilter

ing[57]

CONSTRUCT&DESCRIBE

queries[

33], temporar

y named

graphs[6

0]

metadata

based AC patte

rns[66], View

s in OWL[85]

XACML in OWL[67]

ABAC in OWL-DL[15]contex

t and policyontologies

[16]

context and policy

ontologies[83]

context as

name-v

alue pair

s[17]

Publication Year

Acc

ess

Con

trol

Stan

dard

RBAC.

Enforcement Framework. Kodali et al. [54] describea unifying framework which can be used to enforce anumber of different access control models, MAC be-ing one of them. The authors use DQL2 queries (i.e.DAML+OIL query patterns) together with a DAML-JessKB Description Logic (DL) reasoner in order tocreate an access restricted view of a multimedia docu-ment for a particular security level.

Although Yagüe del Valle et al. [104] indicate thatthey adopt an XML based enforcement mechanism fortheir attribute based access control policies, they do notdescribe the enforcement framework.

2.1.2. Discretionary Access ControlDAC policies associate one or more subjects with

sets of access rights pertaining to one or more re-sources. Like MAC, DAC restricts access by means ofa central access control policy, however users are al-lowed to override the central policy and can pass theiraccess rights on to other users, a process known as del-

2DQL, http://www.daml.org/dql/

egation [81]. According to Weitzner et al. [102], theweb needs discretionary, rule based access control. Al-though the authors describe a motivating scenario andpresent a potential solution, they focus primarily on thegeneral architecture of the system, as opposed to inves-tigating how discretionary access control can be mod-elled or enforced. When it comes to intersection be-tween DAC and RDF, research efforts to date have fo-cused on: (i) supporting multiple access control mod-els [104,54]; (ii) providing support for the delegated ofaccess rights to others [33,53,52]. A summary of thevarious policy specification and enforcement mecha-nisms are presented below:

Policy Specification. The ontology proposed by Ko-dali et al. [54] and the ABAC model proposed byYagüe del Valle et al. [104] can also be used to spec-ify DAC policies. In both instances, the authors focuson the specification of policies rather than the dele-gation of permissions. In contrast, Kirrane et al. [53]provide a summary of discretionary access control re-quirements for the RDF data model, based on the dif-ferent characteristics of the graph data model com-pared to relational and tree data models. The authors


suggest extending the SPARQL query language withtwo new commands GRANT and REVOKE that couldbe used to manage the delegation of access rights inRDF databases. In follow-up work Kirrane et al. [52]discuss how DAC can be used together with declara-tive policies. In particular, the authors identify the needfor an additional authorisation element that is used torepresent the person that generated the authorisation.

Enforcement Framework. According to Kodali et al.[54] and Yagüe del Valle et al. [104] their general ac-cess control frameworks can also be used to enforceDAC policies, however as mentioned previously theauthors do not consider the delegation and revocationof permissions.

In contrast both Gabillon and Letouzey [33] andKirrane et al. [52] focus specifically on access con-trol delegation. Gabillon and Letouzey [33] allowusers to define security policies for RDF graphsand SPARQL views (SPARQL CONSTRUCT andDESCRIBE queries) that they own. Users may dele-gate rights to other users by specifying an authorisationwhich grants CONSTRUCT and DESCRIBE privilegesto their RDF dataset, one or more RDF graphs or viewsof the RDF dataset. Although the authors describe thedelegation process no consideration is given to the re-vocation of policies. Kirrane et al. [52] also proposean ownership model, whereby the data producer isgranted full access to the data items they create. Al-though they present an administration algorithm thatcan be used to generate new authorisations, they donot provide algorithms for the delegation and revoca-tion processes. The authors state that neither the grantnor the revoke algorithms are dependent on the datamodel and as such traditional revocation approachessuch as cascading and non-cascading could be used inconjunction with the proposed framework.

2.1.3. Role Based Access ControlRBAC restricts access to resources to groups of

users, with common responsibilities or tasks, gener-ally referred to as roles. In RBAC, users are assignedto appropriate roles and access to resources is grantedto one or more roles, as opposed to users directly [82].The term session is commonly used to refer to theset of roles that the user is currently assuming (theiractive roles). Whereas, role deactivation is generallyused to refer to the process whereby a user is removedfrom a role. Depending on the usecase, roles may beorganised to form either a hierarchy or a partial or-der. Such structures are used to simplify access controlspecification and maintenance. Constraints are com-

monly used to enforce conditions over access controlpolicies. For RBAC, these constraints take the formof both static and dynamic separation of duty (a usercannot be assigned to two roles simultaneously) andprerequisites (a user can only be assigned to a role ifthey have already been assigned another required role).When it comes to RBAC research efforts have primar-ily focused on: (i) modelling RBAC entities as classes[54,103,30] or instances [30]; and (ii) adapting exist-ing vocabularies, such as the eXtensible Access Con-trol Markup Language (XACML) [28] and the Com-mon Information Model (CIM) [2], in order to cater forRBAC. An overview of the various RBAC policy spec-ification and enforcement mechanisms are presentedbelow:

Policy Specification. Kodali et al. [54] propose anontology that can be used to associate access controlpolicies with roles. Wu et al. [103] provide a basicmodelling for RBAC concepts and constraints usingOWL3. User, Role, Permission and Sessionentities are represented as classes. While, the follow-ing properties are used to represent relationships:

– hasRole (assigns a user to a role);– hasPermission (associates a role with a per-

mission);– belongTo (maps a session to a single user); and– hasActiveRole (maps a set of roles to a ses-

sion).

Two additional properties are used to model separationof duty and prerequisite constraints:

– conflictRole (indicates that there is a con-flict between two roles); and

– prerequesiteRole (specifies that one role isdependent on another).

Finin et al. [30] build on the work proposed by Wuet al. [103] by examining the advantages and disadvan-tages of representing roles as classes and roles as in-stances. When roles are represented as instances themodelling is simple and more concise. Whereas, whenroles are represented as classes, it is possible to deter-mine subsumption relationships according to a usersactive role and the role hierarchy, using standard de-scription logic subsumption. In order to cater for roledeactivation it should be possible to temporarily re-move a user from a role. However, as OWL is mono-

3OWL, www.w3.org/TR/owl-ref/

www.w3.org/TR/owl-ref/


tonic "state changes such as role deactivations, andmodifying role permission assignments must be han-dled outside the reasoners" [30]. For example, assum-ing that a user has a set of roles assigned to them. Whenthe user interacts with the system, it should be possi-ble for them to choose to activate (or deactivate) anyof their roles. The activated roles determine which per-missions are available to the user at a given time. Assuch, the authors use N3Logic rules in order to caterfor separation of duty and role deactivation constraints.

Rather than propose a new vocabulary, Ferrini andBertino [28] and Alcaraz Calero et al. [2] demonstratehow existing vocabularies can be modelled in OWL.Ferrini and Bertino [28] discuss how the eXtensibleAccess Control Markup Language (XACML)4, an at-tribute based access control language and framework,proposed by the Advanced Open Standards for the In-formation Society (OASIS), and OWL can be usedto specify and enforce RBAC. While, Alcaraz Caleroet al. [2] demonstrate how the Common InformationModel (CIM)5 (a standard vocabulary used to repre-sent information technology objects and the relation-ship between them) can be used to represent RBAC.The authors provide a mapping between RBAC con-cepts and the CIM vocabulary which they model usingOWL.

Enforcement Framework. According to Yagüe delValle et al. [104] their general access control frame-works can also be used to enforce RBAC policies.However, as stated previously Yagüe del Valle et al.[104] do not describe the enforcement framework. Incontract, Ferrini and Bertino [28] discuss how ABACcan be used enforce RBAC policies. In the proposedframework the user submits their role as a subject at-tribute. On receipt of the request the system extractsthe role from the subject attribute and the descriptionlogic reasoner is used to retrieve additional roles thatcan be inferred from the OWL ontology. These rolesare subsequently fed into the XACML engine. Finallythe XACML engine consults the XACML policy in or-der to determine if access should be granted. As thepolicies are not modelled in OWL it is possible to sup-port role deactivation. However, with the existing mod-elling it is not possible to exploit reasoning over policyresources or access rights.

4XACML,https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml

5CIM, http://www.dmtf.org/standards/cimIn the architecture proposed by Alcaraz Calero et al.

[2] constraints are represented as rules using the Se-

mantic Web Rule Language (SWRL)6. For example,in order to model a separation of duty constraint, arule is defined which checks if there are any com-mon instances between roles and if so generates anexception. The authors describe how a SPARQL en-abled reasoner, such as Pellet, can be used to query theOWL policy, in order to determine if access should begranted or denied. In Section 3 we will discuss the ben-efits and limitations of both ontology and rule basedenforcement strategies.

2.1.4. View Based Access ControlVBAC [37] is used in relational databases to simul-

taneously grant access to one or more relations, tuples,attributes or values. A similar approach is used in Ob-ject Oriented Access Control (OBAC) [27], where ac-cess rights are granted to sets of application objects.Primary research efforts with respect to VBAC andRDF focus on: (i) using rules to grant and deny accessto views of the data [57,60]; and (ii) using SPARQLCONSTRUCT and DESCRIBE queries to grant anddeny access at multiple levels of granularity [25,33].A summary of the various VBAC policy specificationand enforcement mechanisms are presented below:

Policy Specification. Li and Cheung [57] allow au-thorisations to be specified using a combination of on-tology concepts, relations and filter conditions (equalto, less than and greater than) and use rules to gen-erate access restricted views of the dataset. Similarly,Mühleisen et al. [60] allow access control policies tobe specified for triple patterns, resources or instancesusing SWRL rules. In the case of Li and Cheung [57]access control policies are associated with a particularsubject, whereas in the case of Mühleisen et al. [60]access control policies are specified using contextualinformation pertaining to the user, resources or the en-vironment.

Both Dietzold and Auer [25] and Gabillon andLetouzey [33] use a combination of rules and filters de-fined using SPARQL queries in order to construct a ac-cess restricted view of the data. Dietzold and Auer [25]propose access control policy specification at multiplelevels of granularity (triples, classes and properties).Authorisations are used to associate filters (SPARQLCONSTRUCT queries) with users and resources. Gabil-lon and Letouzey [33] extend the modelling proposedby Dietzold and Auer [25] by proposing an access con-

6SRWL, http://www.w3.org/Submission/SWRL/

https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml

https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml

http://www.dmtf.org/standards/cim

http://www.w3.org/Submission/SWRL/


trol model which can be used to grant/deny access toboth SPARQL CONSTRUCT and DESCRIBE queriesand named graphs.

Enforcement Framework. Both Li and Cheung [57]and Mühleisen et al. [60] discuss how rules can be usedto generate a subset of the data that the requester isauthorised to access. In the case of Li and Cheung [57]when a requester submits a query, the system uses therules to generate a view of the authorised data. WhileMühleisen et al. [60] use rules to generate a tempo-rary named graph containing only authorised data. Therequesters query is subsequently executed against thetemporary named graph and the results are returned tothe user.

Both Dietzold and Auer [25] and Gabillon andLetouzey [33] describe how RDF data can be logicallyorganised into views using SPARQL CONSTRUCTand DESCRIBE queries. When a requester submitsa query, a virtual model is generated based on thematched authorisations. The query is subsequently ex-ecuted against the virtual model, which only containsdata that the requester is authorised to access.

2.1.5. Attribute Based Access ControlABAC was designed for distributed systems, where

the subject may not be known to the system, prior tothe submission of a request. ABAC grants or deniesaccess to resources, based on properties of the sub-ject and/or the resource, known as attributes. Primaryresearch efforts to date focused on: (i) using rules togrant access based on attributes directly or indirectlyusing roles [85]; (ii) using ontologies to grant accessbased on attributes directly or indirectly using roles[15]; and (iii) proposing a pattern which can be used toguide the development of attribute based access con-trol frameworks [66]. Primary research efforts with re-spect to ABAC policy specification and enforcementmechanisms are presented below:

Policy Specification. Priebe et al. [67], discuss howattribute based access control policies specified usingXACML can be modelled using OWL. While, Cirioet al. [15] demonstrate how OWL-DL can be used toexpresses role based access control concepts and ex-tend the modelling to cater for attributes. The authorsuse rdfs:domain and rdfs:range properties toassert knowledge instead of using them as constraints.Such an approach simplifies policy specification as

concepts can be defined implicitly. In the presentedmodelling policies are specified for classes as opposedto instances. For example, it is possible to state that astudent prepares a thesis and is advised by an advisor;and an advisor advises a student and reviews a thesis.However, it is not possible to say that an actual the-sis prepared by a particular student is the same thesisinstance that is retrieved by the respective advisor. Assuch, the authors use two predicates requiresTrueand requiresFalse (with domain Role and rangeString) in order to specify run time constraints basedon user attributes. The constraints are specified us-ing SPARQL queries, which are executed against theknowledge base at runtime. Similarily, Stermsek et al.[85] discuss how attributes can be used to specify ac-cess control directly using rules and indirectly usingroles. In the former, the requesters attributes are com-pared against a policy, which indicates the attributesnecessary to access a resource. Whereas in the latter,permissions are assigned to roles and the requesters at-tributes are used to determine the access rights or rolesthe subject should be mapped to.

Enforcement Framework. Priebe et al. [67], discusshow XACML policies together with a reasoning en-gine, allow for deductive reasoning based XACMLpolicies modelled using OWL. Stermsek et al. [85] de-scribe three different mechanisms that can be used toobtain the attributes pertaining to a subject: (i) sub-jects can send all of their attributes to the server, withthe initial request; (ii) the server can request particu-lar attributes from the subject, once the initial requestis submitted; and (iii) given the subject may be cau-tious about giving out the requested credentials to anunknown entity, both the server and the client couldexchange policies and attributes (a process commonlyknown as trust negotiation). While, Cirio et al. [15]discuss how SPARQL ASK queries can be used to rep-resent constraints that are evaluated at runtime using acustom policy decision point, which wraps a descrip-tion logic reasoner.

Priebe et al. [66], inspired by software designpatterns, present a Metadata-Based Access Control(MBAC) pattern, which aims to encapsulate best prac-tice with respect to attribute based access control. Inthe presented pattern subjects and objects are modelledas sets of attribute/value pairs. While, authorisationsubjects and authorisation resources are described interms of required attributes and corresponding values.


2.1.6. Context Based Access ControlCBAC uses properties, pertaining to users, re-

sources and the environment, to grant/deny access toresources. In light of new and emerging human com-puter interaction paradigms, such as ubiquitous com-puting and the internet of things, access control basedon context has been graining traction in recent years.Existing proposals for CBAC can be summarised asfollows: (i) proposing a framework which differenti-ates between physical and logical context [16,59]; and(ii) using ontologies and rules to specify access con-trol policies that take context relating to subjects, ob-jects, transactions and the environment into considera-tion [83]; and (iii) using ontologies and SPARQL ASKqueries to restrict access to named graphs [17]. A sum-mary of the CBAC policy specification and enforce-ment mechanisms are presented below:

Policy Specification. Shen and Cheng [83] proposecontext and policy ontologies that are used to specifyboth positive and negative authorisations and obliga-tions. Context provides a level of indirection betweensubjects and permissions. The authors propose fourdifferent types of context, that are relevant from a ac-cess control perspective: (i) Subject contexts (proper-ties pertaining to a subject); (ii) Object contexts (infor-mation relating to resources); (iii) Transaction contexts(either current or past information relating to a partic-ular action); and (iv) Environment contexts (other con-textual information not relating directly to the subject,the resource or the action, for example time of day).An authorisation permits/prohibits an action, based onsets of contexts supplied by the user. Actions areused to represent operations that a subject wishes toperform and Permission Assignments are usedto associate contexts with actions. Rules are used toinsert new authorisations, based on contextual infor-mation, into a knowledge base. Like Shen and Cheng[83], Corradi et al. [16] and Montanari et al. [59] pro-pose access control policies that are composed of map-pings between context and permissions. Complex poli-cies are generated using conjunction, disjunction andnegation operators.

Costabello et al. [17] propose a policy language thatcan be used to restrict access to named graphs usingcontextual information supplied by the requester. Anaccess control policy is a tuple 〈ACS,AP, S,R,AEC〉,where ACS is a set of access conditions (specified us-ing SPARQL ASK queries); AP is a set of access priv-ileges (CREATE, READ, UPDATE or DELETE); S de-notes the subjects to be protected; R represents the

named graphs to be protected; and AEC is the evalua-tion context specified using name value pairs (verifiedusing SPARQL BINDINGS).

Enforcement Framework. Corradi et al. [16] andMontanari et al. [59] propose a context based accesscontrol model and framework, called UbiCOSM. Theproposed access control model uses context to grouppolicies. The authors distinguish between physical andlogical context. The former relates to the physical lo-cation denoted by geographical coordinates. Whereas,the latter refers to logical properties pertaining to theusers and resources. When a user requests access toa resource, the UbiCOSM enforcement framework re-trieves the relevant policies and generates a view basedon the users permissions.

Shen and Cheng [83] propose a semantic-awarecontext-based access control (SCBAC) model anddemonstrate how together ontologies and rules canbe used to generate authorisations. In the proposedframework an access request is represented as a tu-ple 〈U,P,C,R〉 where user U, requests privilege P onresource R, in light of a given context C. Access isenforced by representing access requests as SPARQLqueries that are executed over the knowledge base.However, given OWL is monotonic, it is not clear howchanges to contextual information are handled in theproposed approach.

In Costabello et al. [17], in addition to the SPARQLquery that the user wishes to execute, the user providestheir access credentials, in the form of a SPARQLUPDATE query, which contains contextual data. Theenforcement framework stores the contextual data ina named graph and retrieves the authorisations thatmatch the query type. In order to determine if access ispermitted, the ASK query and the BINDINGS, that arespecified in the authorisation, are executed against theusers contextual graph. If the ASK query returns truethen the query is rewritten to include the correspondingnamed graph.

2.2. Access Control Standardisations

In recent years, there have been a number of stan-dardisation efforts, by both the World Wide Web Con-sortium (W3C) and the Organization for the Advance-ment of Structured Information Standards (OASIS), inrelation to access control for web data. This sectionprovides a high level overview of the relevant stan-dards and details how they have been adapted or en-hanced using semantic technology. A summary of the


existing work relating to each of the aforementionedstandards is presented in Table 2 and the key conceptsare represented in Figure 2 using a timeline. In eachinstance we make the distinction between simply ap-plying versus extending the standard.

2.2.1. eXtensible Access Control Markup LanguageThe eXtensible Access Control Markup Language

(XACML)4, is an OASIS standard, which is used torepresent attribute based access control policies [71].XML was chosen as the representation formalism forthe policy language as it: (i) can be used to representinformation in a human and machine readable manner;(ii) can easily be adapted to represent different accesscontrol requirements; and (iii) is widely supported bysoftware vendors. The specification provides an XMLschema which can be used to represent attribute basedaccess control policies. The root of an XACML pol-icy is a Policy or a PolicySet (used to representmultiple policies). Policies are composed of sets ofRules that are in turn composed of sets of Targets(conditions relating to Subjects, Resources andActions) and an Access Decision (permit,deny or not applicable). A Request is represented asa tuple 〈subject, resource, action, environment〉.Where subject represents the entity requesting access,resource denotes the object to be protected, action de-fines the type of access and environment represents therequesters attributes. The XACML framework is com-posed of the following components:

– a policy decision point, which evaluates policiesand returns a response;

– a policy enforcement point, which is responsiblefor making decision requests and enforcing thedecisions;

– a policy information point, which obtains at-tributes pertaining to subjects, resources and theenvironment; and

– a policy administration point, which enables poli-cies and sets of policies to be created and updated;

A number of researchers have used Semantic Webtechnologies to supplement the existing XACMLframework. Primary research efforts include: (i) ex-tending XACML to cater for deductive reasoning overattribute ontologies[67,68,14]; (ii) extending XACMLpolicies with context [32]; and (iii) adapting XACMLto work with roles [28].

Extensions. Priebe et al. [67,68] present an extensionto XACML, which enables deductive reasoning over

attribute ontologies, specified using OWL. In order tosupport reasoning, the authors propose two additionalarchitecture components: an ontology administrationpoint and an inference engine. Attribute ontologies arecreated and updated using the ontology administrationpoint. If the attributes presented by the requester arenot explicitly stated in the access control policy, thesystem attempts to infer the required access rights fromthe policy attributes, requester attributes and the at-tributes ontology, using the inference engine. Chen andStuckenschmidt [14] also extend XACML with OWLdeductive reasoning capabilities. XACML policies arespecified using OWL and access control is enforcedvia query rewriting. The authors use SPARQL filters toboth permit and deny access to instance data. Reason-ing over the data, represented in the filters, is delegatedto reasoners which support OWL and SPARQL.

Franzoni et al. [32] demonstrate how XACML canbe extended to consider access control based on con-textual properties pertaining to either the user or theapplication. In addition to standard access control poli-cies, specified using XACML, the authors propose finegrained access control policies, which are used to spec-ify the instances of a concept that a user is permit-ted to access. The proposed fine grained access controlpolicies are enforced over RDF data, by expanding aSeRQL query (an alternative to SPARQL), to includetriple patterns for the instances that are permitted.

Ferrini and Bertino [28] describe an extension ofXACML, which uses a combination of XACML andOWL, in order to support RBAC constraints, such asstatic and dynamic separation of duty. Like Franzoniet al. [32], XACML policies are specified using OWL,therefore it is possible to take advantage of OWL’s outof the box reasoning capabilities. The authors proposea two layer framework where access control policiesare specified using XACML and constraints and rolehierarchies are represented using OWL. They furtherextend the XACML enforcement framework which en-hances the XACML engine with Description Logicreasoning capabilities.

2.2.2. Web Identity and DiscoveryWeb Identity and Discovery (WebID)7, which is

supported by a W3C community group, is a mecha-nism used to uniquely identify and authenticate a per-son, company, organisation or other entity, by means ofa Uniform Resource Identifier (URI) [80]. Essentiallya WebID is a HTTP URI which is used to represent an

7WebID, http://www.w3.org/wiki/WebID

http://www.w3.org/wiki/WebID


Table 2Access Control Standards - Adoption and Extension

Standard Category Adoption ExtensionXACML Access Control Priebe et al. [67,68] RDF modelling reasoning

Ferrini and Bertino [28] RDF modelling context awarenessFranzoni et al. [32] RDF modelling RBAC using XACML

WEBID Authentication Hollenbach et al. [39] FOAF & SSL -Berners-Lee et al. [5] FOAF & SSL -Stermsek et al. [85] attributes & public keys -

WAC Access Control Hollenbach et al. [39] WebID & WAC -Villata et al. [100] RDF modelling fine grained policiesSacco and Passant [75] RDF modelling fine grained policies

P3P PrivacyPreferences

Garcia and de Toledo [34] P3P policies in OWL -

Kolari et al. [55] RDF modelling expressive preferences

ODRL General policies Cabrio et al. [13] ODRL licenses in RDF -Steyskal and Polleres [86] ODRL access policies in RDF -

Fig. 2. Access Control Standards

2002 2004 2006 2008 2010 2012 2014

XACML

WEBID

WAC

P3P

ODRL

RDF modelling & rea

soning[67]

RDF modelling & contex

t[32]

RDF modelling & RBAC usin

g XACML[28]

attributes

& publickeys[8

5]

FOAF & SSL[39]

FOAF & SSL[5]

WebID& WAC[39]

fine grained

policies[

100][75]

RDF modelling & expres

sive pref

erences

[55]

P3P policies

in OWL[34]ODRL lice

nsein RDF [13],

ODRL access

policies

in RDF[86]

Publication Year

Acc

ess

Con

trol

Stan

dard

agent. A description of the agent is provided in an RDFdocument, known as a WebID profile, which can bedereferenced using 303 redirects or Hash URI’s. TheWebID-TLS protocol (where TLS stands for TransportLayer Security) specifies how together a WebID pro-file and a public key certificate can be used to authen-ticate users [88]. The user places their WebID profile

document URI in the Subject Alternative Names fieldof their certificate. Once the certificate has been gen-erated the user adds the public key details to their We-bID profile document. A service wishing to authenti-cate the user, needs to verify that the public key of thecertificate it receives matches the public key specifiedin the WebID profile.


Adoption. Hollenbach et al. [39] use FOAF8 and theSecure Sockets Layer (SSL) to determine if the pub-lic key in the users FOAF profile matches that of thecertificate. When a requester attempts to authenticate,the system extracts the public key from the certifi-cate. The system subsequently verifies the signatureand if successful, a SPARQL query is executed againstthe FOAF profile, in order to verify that it contains amatching public key.

In Berners-Lee et al. [5], the authors describe theirvision of a read-write web of data and present a proofof concept. Like Hollenbach et al. [39], the authorsdiscuss how WebID together with FOAF+SSL, can beused for authentication. It is worth noting that althoughStermsek et al. [85] do not use the term WebID, theydescribe how attributes pertaining to a subject (com-monly known as credentials), can be associated withpublic keys and attached to digital certificates.

2.2.3. Web Access ControlWebAccessControl (WAC)9 is an RDF vocabulary

and an access control framework, which demonstrateshow together WebID and access control policies spec-ified using the WAC vocabulary, can be used to en-force distributed access control. WAC authorisationsgrant agents, access to resources. Agents are spec-ified using the agent and agentClass proper-ties and resources are specified using the accessToand accessToClass properties. Whereas, Read,Write, Append and Control access rights are rep-resented as classes. Once the user has been authenti-cated using WebID, the system checks if a policy existswhich grants the user access to the requested resource.If no such policy exists, then the system checks forclasses that are granted access. For each class the sys-tem dereferences the URI and checks if the users We-dID is a type of the given class. If yes, then the user isgranted access to the system. When it comes to WAC,primary research efforts focus on: (i) demonstratinghow WebID and WAC can be used for authenticationand authorisation respectively [39]; and (ii) extendingthe WAC vocabulary to cater for more expressive ac-cess control policies [100,75].

Adoption. In addition to using WebID for authentica-tion, Hollenbach et al. [39] use the WAC vocabulary

8FOAF, http://xmlns.com/foaf/spec/9WAC,http://www.w3.org/wiki/

WebAccessControl

to specify access control policies. The authors providea mapping between permissions and HTTP operationsand demonstrate how together WebID and WAC canbe used to grant/deny access to web resources. In or-der to verify if the user has the permissions requiredto perform the requested HTTP operation, a SPARQLquery is executed against the access control policy. Ifaccess is denied, a 403 response is returned from theserver.

Extensions. Both Villata et al. [100] and Sacco andPassant [75] extend the WAC to cater for access con-trol over the RDF data model. Using the extended vo-cabularies, it is possible to associate access controlwith individual RDF resources (subjects, predicatesand objects) and also collections of RDF resources(named graph). In addition, the authors extend the vo-cabulary to cater for a broader set of access privi-leges (create, read, write, update, delete,append and control).

2.2.4. Platform for Privacy PreferencesPlatform for Privacy Preferences (P3P)10, is a W3C

recommendation, which enables websites to expresstheir privacy preferences in a machine readable for-mat. Like XACML, the specification provides an XMLSchema, which can be used to specify policies. Inaddition, the specification details how privacy poli-cies can be associated with webpages/websites anddescribes how P3P policies can be used in conjunc-tion with HTTP. Organisations wishing to specify ma-chine readable privacy policies can publish their pri-vacy policies using the P3P syntax. A reference to thepolicy can be added to a well known location (for ex-ample, /w3c/p3p.xml), which can be specified us-ing the HTML link tag, or alternatively can form partof the HTTP Response. P3P agents can be built intobrowsers, plug-ins or proxy servers. The agent is re-sponsible for fetching the servers privacy preferencesand taking some action. This action can vary fromsimply displaying a symbol, to comparing the serversprivacy preferences to those of the client and takingsome form of action. A related specification calledA P3P Preference Exchange Language (APPEL) [21]presents a vocabulary, which is used by individuals (asopposed to websites) to express their privacy prefer-ences. When it comes to P3P and RDF, primary re-search efforts focus on: (i) representing P3P policiesusing OWL Garcia and de Toledo [34]; and (ii) extend-

10P3P,http://www.w3.org/TR/P3P/

http://www.w3.org/wiki/WebAccessControl

http://www.w3.org/wiki/WebAccessControl

http://www.w3.org/TR/P3P/


ing the P3P vocabulary to cater for more expressiveprivacy preferences Kolari et al. [55].

Adoption. Garcia and de Toledo [34] demonstrate howP3P policies can be represented in OWL. The authorsdetail how the Web Services Policy Framework (WS-Policy) can be used by service providers and con-sumers to specify their privacy policies using OWLontology concepts based on the P3P vocabulary. Poli-cies are associated with web services and access is de-termined by a broker by comparing consumer privacypreferences with provider privacy guarantees, takinginto account the semantic relationships between ontol-ogy concepts.

Extension. Kolari et al. [55] propose an extension toP3P, to cater for more expressive privacy preferences.The P3P policies are specified using a policy languagebased on Semantic Web technologies, known as Rei.As Rei is a general policy language, it can easily beused to represent existing P3P policies in a mannerwhich supports reasoning based on context. As accessrights in Rei are based on deontic logic, it is possibleto model, not only positive and negative permissions,but also positive and negative obligations.

2.2.5. The Open Digital Rights LanguageThe Open Digital Rights Language (ODRL)11 is a

general rights language, which is used to define rightsto or to limit access to digital resources. The informa-tion model and the associated semantics is documentedin the core model. Whereas, the common vocabularyprovides a dictionary of terms that can be used to ex-press permissions, prohibitions, constraints, and du-ties with respect to digital assets. In addition, a num-ber of serialisations of the core model are providede.g. XML, JSON and RDF. The core model may beamended/extended in order cater for disparate policyrequires (i.e. different communities may define theirown ODRL profiles). When it comes to ODRL and theRDF specifically, primary research efforts to date fo-cus on: (i) using ODRL vocabularies to specify RDFlicenses Cabrio et al. [13]; and (ii) demonstrating howODRL can be used to express a variety of access poli-cies Steyskal and Polleres [86].

Adoption. Cabrio et al. [13] demonstrate how togetherthe Creative Commons Rights Expression LanguageOntology can be used to specify Creative Commons

11ODRL,https://www.w3.org/community/odrl/

(CC) licenses and how the ODRL Ontology can beused to model all other licenses. In addition, the au-thors use Natural Language Processing (NLP) tech-niques to automatically generate machine readable li-censes (represented using RDF) from their natural lan-guage counterparts. Steyskal and Polleres [86] exam-ine the suitability of ODRL for specifying access poli-cies for Linked Data. The authors present several mo-tivating scenarios and demonstrate via example howODRL can be used to: (i) restrict access to specificdatasets; (ii) limit the number of permissible requests;(iii) grant or deny access for a specific time window;(iv) represent common licenses; (v) limit data reuse;and (vi) define policies that require the payment of du-ties.

3. General Policy Languages and Frameworks

Policy languages can be categorised as either gen-eral or specific. In the former, the syntax caters for adiverse range of functional requirements (access con-trol, query answering, service discovery, negotiation,to name but a few), whereas the latter focuses on justone functional requirement. Two of the most well-known access control languages, KAoS [11,12,95] andRei [47,48], are in fact general policy languages. Nat-ural language, programming languages, XML and on-tologies can all be used to express policies. XML andontologies are two popular choices for representingpolicy languages as they benefit from flexibility, ex-tensibility and runtime adaptability. However, ontolo-gies are better suited to modelling the semantic rela-tionships between entities. Also, the common frame-work and vocabulary used by ontologies, to representdata structures and schemas, provides greater inter-pretability and interoperability. Regardless of the lan-guage chosen, a logic based underlying formalisationis crucial for automatic reasoning over access controlpolicies.

The work presented in this section is limited to pol-icy languages that use ontologies, rules or a combina-tion of both to represent general policies. A summaryof the existing proposals is presented in Table 3. While,a detailed timeline is presented in Section 5.

As the objective is to provide the reader with anoverview of each approach, a detailed description ofwell known frameworks in each category is presented.For a broader comparison of policy languages, the au-thor is referred to a survey by Bonatti and Olmedilla[8]. The authors divide the criteria into two categories:

https://www.w3.org/community/odrl/


Table 3General Policy Languages - Policy Representation and Enforcement

Policy Type Policy Representation Enforcement Mechanism Enforcement FrameworkKAoS [11,12,95] ±authorisations

±obligationsDAML & OWL DL based enforcement conflict resolution & harmoni-

sationRei [47,48] ±authorisation

±obligationsRDFS, Prolog Rules &OWL

rule based enforcement dynamic constraints, runtimevariables, conflict resolutionvia metapolicies

Protune [10,7,8] decision, provisional &abbreviation predicates

lightweight ontologies, rulesand meta rules

rule based enforcement disclosure & negotiation

Proteus [92] - policies and domain info asclasses, user context as in-stances

DL & rule based enforcement conflict resolution & harmon-isation, dynamic constraints,runtime variables, disclosure& negotiation

Kolovski et al. [56] - XACML policies as DL DL & rule based enforcement disclosure, rules for conflictresolution

the more theoretical criteria, which they refer to ascore policy properties (well-defined semantics, mono-tonicity, condition expressiveness, underlying formal-ism) and the more practically oriented criteria, whichthey refer to as contextual properties (action execu-tion, delegation, type of evaluation, evidences, nego-tiation support, policy engine decision, extensibility).However the criteria was devised in order to compareexisting policy languages that focus on access controland trust, therefore it would need to be amended de-pending on the access control requirements of the spe-cific use cases. In Section 5 we present an extendedlist of requirements that are derived from several pa-pers that examine access control for RDF. Like Bon-atti and Olmedilla [8], De Coi et al. [23] investigatethe interplay between trust, access control and policylanguages. While, Yagüe del Valle et al. [104] exam-ine the different layers of the Semantic Web, Damianiet al. [22] and Weitzner et al. [102] focus on the accesscontrol mechanisms that are required to support newaccess control paradigms and Ryutov et al. [73] inves-tigating access control requirements from a graph datamodel perspective.

3.1. Ontology Based Approaches

Using ontologies it is possible to specify access con-trol vocabularies that can easily be adopted by oth-ers. Additionally, access control policies specified us-ing different vocabularies can be merged using existingontology integration and merging techniques12. Fur-thermore, it is possible to infer new policies based onrelationship between access control entities (deductive

12Ontology integration and merging techniques,http://semanticweb.org/wiki/Ontology_Integration_and_Merging.htmlreasoning) and determine the access rights required to

meet a given policy (abductive reasoning) over accesscontrol policies, with standard description logic rea-soners. This section examines KAoS [11,12,95] a gen-eral policy language which adopts a pure ontologicalapproach.

3.1.1. KAoSKAoS [11,12,95] is an open distributed architec-

ture, which allows for the specification, managementand enforcement of a variety of policies. In initial ver-sions of the language, policies were represented usingDAML13. However, the authors later moved to OWL,the successor of DAML [99]. As both DAML andOWL are based on description logic, using the KAoSlanguage it is possible to define class and property hi-erarchies, along with inference rules. Although KAoSwas originally designed to enable interoperability be-tween complex web agents (software that acts on be-half of humans) [11,89], it was later applied to webservices [96,97,99,98] and grid computing [45,96].

Policy Specification. The authors define a set of corevocabularies, known as KAoS policy ontologies, thatis used to specify policies. A policy is used to expresseither an authorisation or an obligation, on the partof one or more actors, with respect to actions relat-ing to resources. Policies are represented as instancesof the aforementioned policy types. The language isnot meant to be exhaustive, but rather to provide a ba-sis, which can be further extended, to cater for usecase specific classes, instances and rules. In order tosimplify policy administration and enforcement, actorsand resources are organised into domains, that can benested indefinitely. Domains and subdomains are usedto represent complex relationships between classes and

13DAML, http://www.daml.org/

http://semanticweb.org/wiki/Ontology_Integration_and_Merging.html




instances, such as organisation structures.

Enforcement of policies. The authors propose a gen-eral policy and domain services framework, whichconsists of the following components: a policy ad-ministration tool, directory services, guards, enforcersand a domain manger. The policy administration tool,known as KPAT, is a user friendly interface that allowsadministrators, who are unfamiliar with DAML andOWL, to either specify new or maintain existing poli-cies. Guards are responsible for enforcing platform in-dependent policies. While, enforcers are responsiblefor enforcing policies that are platform dependent. Thedomain manger is used to manage domain member-ship and to distribute policies to guards. This compo-nent is also responsible for notifying the guards of anypolicy updates. Given that the actual enforcement maydepend not only on the action to be performed, but alsoon the application, it may be necessary for the devel-oper to implement platform specific code. In order tosimplify the integration of these custom enforcementmechanisms with the KAoS framework a number ofinterfaces are provided as a guide for developers.

In a follow up paper [94], the authors discuss howdescription logic can be used to support policy admin-istration, exploration and disclosure. From an adminis-tration perspective the authors are primarily concernedwith subsumption based reasoning and the determina-tion of disjointness. The former is used to investigate ifone class is a more general form of another (e.g. in rolehierarchies an IT manager is also an employee) andthe latter is used to ensure that sets of subjects, accessrights and objects are mutually exclusive (e.g. a usercannot belong to an administrative roles and a non-administrative role). Using abductive reasoning it ispossible to both test constraints, and to return relevantconstraints given one or more properties. Using de-ductive reasoning it is possible to identify and resolveconflicts at design time. The authors propose a generalalgorithm for conflict resolution and harmonisation,which can be used even when the entities (actors,actions, resources and policies) are spec-ified at different levels of abstraction. The proposedconflict resolution strategy is based on policy prioritiesand timestamps. In the event of a conflict the algorithmtakes the policy with the lowest precedence and subdi-vides it until the conflicting part has been isolated. Theconflicting policy is removed, and non conflicting poli-cies are generated and feed into the knowledge base.

3.2. Rule Based Approaches

One of the benefits of a rule based approach is thatit is possible to support access control policies thatare dependent on dynamic constraints that can only beevaluated at run time. Like ontology based approaches,access control policies are defined over ontology en-tities. This section examines two different rule basedlanguages and enforcement frameworks, Rei [47,48]and Protune [10,7,8].

3.2.1. ReiRei [47,48] is a Semantic Web policy language and

distributed enforcement framework, which is used toreason over policies, that are specified using RDFSor Prolog rules. As OWL has a richer semantics thanRDFS, the authors later provided an OWL representa-tion for their policy language [24,49]. Like KAoS, Reiis a general policy language which can be applied toagents and web services [24,46]. Although Rei poli-cies can be represented using RDFS or OWL the au-thors adopt a rule based enforcement mechanism, incontrast to the description logic enforcement mecha-nism adopted by KAoS.

Policy Specification. Rei provides support for fourdistinct policy types, permissions, prohibitions, obli-gations and dispensations. Whereby, permissions andprohibitions in Rei are equivalent to positive and neg-ative authorisations in KAoS, and likewise obligationsand dispensations in Rei and equivalent to positive andnegative obligations in KAoS. By choosing to repre-sent access rights as speech acts Rei is able to supportnot only a wide range of policies but also the delega-tion and revocation of policies. A policy is composedof a set of rules, based on the four policy types, that areused to associate conditions with actions. A has pred-icate is used to associate permissions and obligationswith entities. Like KAoS, the core ontologies can befurther extended to meet the requirements of specificuse cases.

Enforcement of policies. The Rei policy framework,called Rein (Rei and N3) [46,49], consists of the fol-lowing components:

– a set of ontologies, used to represent the Rein pol-icy network, which is composed of the Rein pol-icy language, resources, policies and metapolicies(additional rules over the policy language com-monly used to specify defaults and to resolve con-flicts) and access requests; and


– a reasoning engine, that uses both explicit and de-rived knowledge to determine if a request shouldbe granted or denied.

The authors propose a distributed enforcement archi-tecture, whereby each entity is responsible for specify-ing and enforcing their own policies. Rein is capableof acting as a server or a client. In server mode, Reinretrieves the relevant policies; requests the credentialsnecessary to access the resource; and verifies the cre-dentials against the policies. Whereas in client mode,the server returns a link to a policy which the clientmust satisfy; the Rein client generates a proof that therequester can satisfy the policy; and forwards the proofto the server. In order to cater for scenarios where partof the policy is private and part is public, the authorspropose a hybrid approach, where Rein acts both as aclient and a server. For example, if a company offers adiscount for a product/service, the policy will requestproof of a valid discount (i.e. the public part), howeverthe details of the relevant discounts will not be dis-closed (i.e. the private part). The details of how sucha hybrid approach would work in practice are left tofuture work.

Using Rein it is possible to combine and reasonover different access control policies, metapolicies andpolicy languages. Policies are expressed using eitherRDFS or OWL, and inference over both data resourcesand policies is performed using an N3 reasoner, knownas Cwm14. N3 was originally used as a representationsyntax for RDF, however it was later extended to allowfor variables and nested graphs. Cwm extends N3 withinference rules and built-in functions, making it pos-sible to express relationships between graphs, specifyboth existential and universal constraints and to rep-resent implication. Although the authors demonstratehow the Rei vocabulary can be used to specify poli-cies, these policies could be represented using alterna-tive vocabularies.

In Kagal et al. [48], the authors discuss how conflictresolution can be achieved using metapolicies. Prior-ity policies are used to indicate dominance betweenpolicies or policy rules. While, precedence policies areused to specify a default grant or deny, for policies, setsof actions or sets of entities satisfying specific condi-tions. In order to guarantee that a decision can alwaysbe reached, the authors propose a partial order betweenmetapolicies. Given Rei allows for policies to contain

14Cwm, http://www.w3.org/2000/10/swap/doc/cwm.html

variables, conflicts need to be resolved at run-time, asopposed to design-time, in the case of KAoS.

3.2.2. ProtuneProtune [10,7,8] is a policy language which was

proposed by the Research Network of Excellence onReasoning on the Web, known as REWERSE15. LikeRei, Protune adopts a rule based approach to policyenforcement. The authors identify usability as one ofthe primary factors for a policy aware web. To thisend, Protune was designed to support both trust ne-gotiation and policy explanations. Lightweight ontolo-gies are used to represent concepts, the relationshipsbetween these concepts and details of the evidencesneeded to prove their truth. Protune is an extensionof two other well known policy languages, the Portfo-lio and Service Protection Language (PSPL) [9] andPeerTrust [35]. PSPL is a model and framework, whichuses rules to support policy filtering, policy exchangeand information disclosure. Whereas, PeerTrust is alanguage and a framework, which uses semantic anno-tations and access control rules, in order to cater forautomated trust negotiation and access control.

Policy Specification. Protune policies are specified us-ing rules and meta-rules (essentially horn clauses withsome syntactic sugar), which provide support for bothdeductive and abductive reasoning. The former is usedto enforce policies, whereas the latter is used to retrieveinformation about the policy conditions that need to besatisfied. Protune provides three predicate categories(decision predicates, provisional predicates and abbre-viation predicates).

– Decision predicates are used to specify the out-come of a policy.

– Provisional predicates are used to represent theconditions the requester must satisfy. By defaultthe system supports two conditions: requests forcredentials and request for declarations. Both cre-dentials and declarations are used to assert factsabout the requester, however credentials are certi-fied by a third party, whereas declarations are not.

– Abbreviation predicates, which are composed ofone or more provisional predicates, are used torepresent abstractions of the conditions listed inthe body of the rule, simplifying policy specifica-tion and maintenance.

15REWERSE, http://rewerse.net/


It is also possible to extend the language with custompredicate categories. Ontologies are used to associateevidences (descriptive requirements of what is neededto meet the conditions) with access conditions. Evi-dences of this nature facilitate negotiation.

In protune metarules are used to specify constraintsand to drive negotiation decisions. For instance usingmetarules it is possible to attach a provisional predi-cate to an action in order to specify the actor who ispermitted to execute the action, or to assign sensitiv-ity levels to predicates and rules that can be used forpolicy filtering (i.e. to remove the sensitive parts of thepolicy).

Enforcement of policies. The enforcement frameworkis composed of three separate components, a negoti-ation handler, an execution handler and an inferenceengine.

– The negotiation handler is responsible for send-ing conditions to the requester and providing re-sponses to conditions that were requested.

– The execution handler is used to interact with ex-ternal systems and data sources.

– The inference engine is tasked with both enforc-ing policies (deduction) and retrieving evidences(abduction).

Like Rei, Protune can be used as a client, as a server,or both. Protune-x is a key component of the Protuneframework, which provides policy explanations in con-trolled natural language. Using verbalization metarulesit is possible to specify in controlled natural languagehow domain-specific atoms have to be rendered. Forexample using the following rule it is possible to ex-plain that Y is the password of X:

passwd(X, Y ) → verbalization :Y &” is the password of ”&X.

Protune-x supports four different types of queries:

– How-to queries (provide a description of the pol-icy).

– What-if queries (give foresight into potential pol-icy outcomes).

– Why queries (give explanations for positive out-comes).

– Why-not queries (give explanations for negativeoutcomes).

Protune is developed in Java with a Prolog reasoningcomponent, which is compiled into Java byte code.

3.3. Hybrid Approaches

A hybrid approach to policy specification and en-forcement can be used to exploit the out of the boxdeductive capabilities, of an ontology based approach,and the runtime inference capabilities, of a rule basedapproach. This section describes Proteus [92] whichuses a combined approach to policy enforcementand examines an alternative approach, presented byKolovski et al. [56] which demonstrates how descrip-tion logic based access control policies can be ex-tended with defeasible logic rules.

3.3.1. ProteusProteus [92] uses a hybrid approach to access con-

trol policy specification. The authors examine earlyversions of KAoS and Rei, and highlight the strengthsand weaknesses of both ontology based and logicbased policy languages and frameworks. Like KAoSthe authors use ontologies to model both domain infor-mation and policies. Such an approach allows for con-flict resolution and harmonisation at design time. LikeRei, the authors adopt a rule based approach in orderto support dynamic constraints and run time variables.For example, to support access control based on dy-namic context pertaining to the requester or the envi-ronment. Like Protune, policy descriptions are used tofacilitate partial policy disclosure and policy negotia-tion.

Policy Specification. Policies are represented as classesand contextual information, relating to the user, arerepresented as instances. Description logic deductionis used to determine the policies that are relevant forthe instance data supplied. However, using descriptionlogic reasoning it is not possible to cater for contextualproperties that are based on property paths or that areassociated with variables. In order to handle reasoningof this nature, the authors propose context aggregationand context instantiation rules. Such rules are repre-sented as horn clauses, with predicates in the head andontological classes and properties in the body.

Enforcement of policies. The Proteus policy frame-work [93] is composed of the following core compo-nents: a policy installation manager, a reasoning core,a policy enforcement manager and a context manager.

– The policy installation manager is responsible forloading ontologies, access control policies, con-textual information and quality constraints.


– The reasoning core performs reasoning over poli-cies, context and quality constraints in order todetermine which policies are currently active.

– The policy enforcement manager intercepts ac-tion requests, collects relevant contextual infor-mation and interacts with the reasoning core inorder to determine if access should be granted ordenied.

– The context manager collects state informationpertaining to system entities and forwards thiscontextual information to the reasoning core.

The authors provide details of their prototype which isimplemented in Java with a Pellet reasoner. The pro-posed solution supports incremental reasoning via anOWL application programming interface and SPARQLqueries.

3.3.2. Kolovski et al. [56]Kolovski et al. [56] demonstrate how together de-

scription logic and defeasible logic rules, known asdefeasible description logic [36], can be used to un-derstand the effect and the consequence of sets ofXACML access control policies.

Policy Specification. The XACML policies are rep-resented using description logic and the combinationalgorithm, which is used to handle conflicts is rep-resented using defeasible description logic rules. Theformalism supports both strict rules that cannot beoverridden and defeasible rules that may be overriddenby a higher priority rule.

Enforcement of policies. Although the actual enforce-ment framework is not presented, the following subsetof policy services are described:

– Constraints. Like Finin et al. [29,30] the pro-posed solution caters for role cardinality and sep-aration of duty;

– Comparison. Policies or sets of policies can becompared in order to determine if one is equiva-lent to or logically contains the other;

– Verification. Like Bonatti and Olmedilla [8], thiscomponent checks if the policy satisfies a givenproperty;

– Incompatibility. This component provides de-tails of policies that cannot be active at the sametime;

– Redundancy. This component checks hierarchiesto ensure that all policies are reachable; and

– Querying. Given a set of attributes, this compo-nent searches for relevant policies.

The proposed XACML analysis prototype is imple-mented on top of Pellet (an open source descriptionlogic reasoner).

4. Access Control for RDF

This section presents the different access controlmechanisms that have been used to protect RDF data.In particular, it focuses on the specification of ac-cess control policies, the different enforcement mech-anisms, the simplification of administration using dif-ferent reasoning strategies and the alternative tech-niques used to return partial query results. A summaryof the existing proposals is presented in Table 4. While,a detailed timeline is presented in Section 5.

4.1. Specification of Access Control for RDF

Over the years several researchers have focused onspecification of access control policies over RDF data.A number of authors [70,41,1,31] define access controlpolicies based on RDF patterns, that are mapped to oneor more RDF triples. Others [57,33,17] propose viewbased access control strategies for distributed RDFdata. Whereas, [75,76,77,74,100,17,18,86,87] proposeaccess control ontologies.

4.1.1. RDF PatternsTriple patterns are triples that can potentially con-

tain variables in the subject, predicate and object po-sitions. From an access control perspective triple pat-terns are used to match multiple triples.

In Reddivari et al. [70] two predicates permit andprohibit are used to grant and deny access rights toone or more triples using triple patterns. Access con-trol policies are defined using Prolog facts and rulesand compiled into Jena rules. Authorisations can befurther constrained using conditions relating to poli-cies, triples and agents:

– policy specific conditions relate to the access con-trol policies, for example a user can only add in-stances if they added the class.

– triple specific conditions correspond to the triplespecified in the authorisation, for example if anauthorisation governs a triple then all triples as-sociated with a subProperty relation are governedby the same policy.


Table 4Access Control for RDF - Policy Representation and Enforcement

Policy Representation Enforcement FrameworkAbel et al. [1] RDF patterns with WHERE clause query rewriting via bindingsAmini and Jalili [3]Ehsan et al. [26]

- reasoning framework

Bao et al. [4] safe reasoningChen and Stuckenschmidt [14] - query rewriting via FILTERSDietzold and Auer [25] ontology triples, classes and properties using SPARQL views for

data filteringFlouris et al. [31] RDF patterns with WHERE clause -Franzoni et al. [32] - query rewriting via bindingsGabillon and Letouzey [33] - SPARQL views for data filteringJain and Farkas [41] RDF patterns RDFS inference to deduce annotationsJavanmardi et al. [43] - reasoning over ontology concepts, properties

and individualsKim et al. [50] - RDFS inference to deduce authorisationsKirrane et al. [53,52] RDF patterns flexible authorisation

frameworkLi and Cheung [57] views query rewriting via expanded viewsLopes et al. [58] - RDFS inference and rights propagationMühleisen et al. [60] ontology triple patterns, resources and in-

stancestemporary named graphs for data filtering

Oulmakhzoune et al. [64] - query rewriting via FILTERSPapakonstantinou et al. [65] - RDFS inference and rights propagationQin and Atluri [69] - reasoning over ontology conceptsReddivari et al. [70] RDF patterns -Ryutov et al. [72,73] - reasoning based on the semantic networkSacco et al. [77]Sacco and Passant [75,76]Sacco and Breslin [74]

using ontologies to extend WAC SPARQL ASK queries

Steyskal and Polleres [86,87] using ontologies to represent ODRLVillata et al. [100]Costabello et al. [17,18]

using ontologies to extend WAC SPARQL ASK queries,query rewriting using named graphs

– agent specific conditions use properties of theuser to limit the authorisation, for example it ispossible to limit access to users who are managersin a specific company division.

Abel et al. [1], Flouris et al. [31] and Kirrane et al.[53,52] also use RDF triple patterns to expose or hideinformation represented as RDF. However, Abel et al.[1] and Flouris et al. [31] go beyond simple graph pat-terns by allowing the graph pattern to be constrainedby a WHERE clause.

Jain and Farkas [41] also use triple patterns to spec-ify access control policies, however the authors buildon the approach proposed by Reddivari et al. [70], bydemonstrating how RDFS entailment rules can be usedto derive access rights for inferred triples (see Sec-tion 4.4).

4.1.2. Views and Named GraphsAn RDF graph is a finite set of RDF triples. Named

graphs are used to collectively refer to a number ofRDF statements. A collection of RDF graphs, whichcan include a default graph and one or more namedgraphs is known as an RDF dataset.

Gabillon and Letouzey [33] highlight the possibleadministration burden associated with maintaining ac-cess control policies that are based on triple patterns.They propose the logical distribution of RDF data intoviews using SPARQL CONSTRUCT and DESCRIBEqueries and the subsequent specification of access con-trol policies, based on existing RDF graphs or prede-fined views. Access control policies are specified us-ing contextual information pertaining to the user, re-sources or the environment. The body of the rule isa possibly empty condition, or a combination of con-ditions connected via conjunction or disjunction. Thehead of the rule is an authorisation. Like Gabillon andLetouzey [33], Dietzold and Auer [25] describe howRDF data can be logically organised into views usingSPARQL CONSTRUCT queries.

4.1.3. Ontology ConceptsSacco and Passant [75,76] and Sacco et al. [77]

demonstrated how an extension of the Web AccessControl vocabulary known as the Privacy PreferencesOntology (PPO) can be used to restrict access to anRDF resources, statements and graphs. An access con-trol policy is composed of:


– a restriction in the form of an RDF resource, state-ment or graph;

– a condition which provides specific details ofthe restriction, for example hasProperty,hasLiteral;

– an access privilege, for example read and/orwrite access rights; and

– a SPARQL ASK query that must be satisfied bythe requester.

A follow-up paper Sacco and Breslin [74] extends theoriginal PPO to allow access to be restricted based ona dataset or a particular context. The authors also pro-vide support for more expressive authorisations (in theform of negation and logical operators), and a broaderset of access privileges (create, read, write,update, delete, append and control).

An alternative access control vocabulary called So-cial Semantic SPARQL Security for Access Control(S4AC) is presented in Villata et al. [100]. Like Saccoand Passant [75] they extend the WAC to cater forfine grained access control over RDF data. Their pro-posal is tightly integrated with several social web andweb of data vocabularies. The authors define accesscontrol policies for named graphs, which can also beused to grant/deny access to sets of triples. S4AC pro-vides support for logical operators and a broad set ofaccess privileges (create, read, write, update,delete, append and control) from the offset.

In contrast Steyskal and Polleres [86] discuss howan alternative vocabulary known as the Open DigitalRights Language (ODRL) 2.0 ontology can be used tospecify access policies for Linked Data. The ODRLvocabulary is more general than the WAC vocabulary,and thus in addition to standard access control poli-cies the authors demonstrate how ODRL can be usedto represent common licenses and policies that requirepayment. In a follow-up paper [87], the authors pro-pose a formal semantics for ODRL, which can be usedas the basis for rule based reasoning over ODRL poli-cies.

4.2. Enforcement of Access Control for RDF

Over the years several researchers have focused onthe modelling and enforcement of access control overRDF data. Existing proposals can be summarised asfollows: (i) demonstrating how access control can beenforced on top of RDF Data [70,33]; and (ii) enforc-ing access control over access control policies repre-sented as RDF using SPARQL ASK queries [75,100].

4.2.1. Policy LayerReddivari et al. [70] define a set of actions required

to manage an RDF store and demonstrate how accesscontrol rules can be used to permit or prohibit the re-quested actions. The actions are organised into fourcategories:

– adding (the insertion of explicit triples, implicittriples and sets of triples);

– deleting (the deletion of explicit triples, im-plicit triples and sets of triples);

– updating (directly replacing one triple with an-other); and

– querying (returning triples or using triples toreturn answers to queries).

The proposed RDF Store Access Control Policies(RAP) framework checks the policy to ensure that theaction is permitted, temporarily allows the action, andafterwards checks the policy to ensure that the infer-ences are allowed. The authors propose default andconflict preferences that can simply be set to eitherpermit or deny.

Like Reddivari et al. [70], Flouris et al. [31] pro-pose a default policy and a conflict resolution strat-egy. They formally define the semantics of the indi-vidual access control statements and the entire accesscontrol policy, and present the different possible in-terpretations for the default semantics and the conflictresolution. A flexible system architecture that demon-strates how the access control enforcement frameworkcan be used with disparate RDF repositories and querylanguages is presented. The system is implemented us-ing Jena ARQ, Jena SDB with a Postgresql back-endand Sesame.

Gabillon and Letouzey [33] describe an enforce-ment framework, whereby users define security poli-cies for the RDF graph/views that they own. Users maydelegate rights to other users by specifying an autho-risation which grants construct and describeprivileges to the RDF graph or view. Although theauthors acknowledge the need for conflict resolution,they do not propose a conflict resolution strategy.

4.2.2. SPARQL ASK queriesSacco and Passant [75,76] and Sacco et al. [77] de-

scribe the formal semantics of the PPO and present adetailed description of their Privacy Preferences Man-ager (PPM), which can be used to enforce access con-trol using SPARQL ASK queries. A follow-up pa-per Sacco and Breslin [74] extends the original PPOand PPM to allow access to be restricted based on


a dataset or a particular context. The authors alsoprovide support for conflict resolution, more expres-sive authorisations (in the form of negation and log-ical operators), and a broader set of access privi-leges (create, read, write, update, delete,append and control). In Sacco et al. [78], the au-thors demonstrate how both the PPO and the PPM canbe used to cater for fine grained access control on a mo-bile device. A number of shortcomings of their orig-inal enforcement algorithm are identified and a moreefficient algorithm which utilises pre-indexing, queryanalysis and results filtering is presented and evalu-ated.

Like Sacco and Passant [75], Villata et al. [100] useSPARQL ASK queries to determine if the requester hasthe permissions necessary to access a resource. Theauthors propose the disjunctive evaluation of policies,thus circumventing the need for a conflict resolutionmechanism. Follow up work by Costabello et al. [17,18] describes how an access control framework, calledShi3ld, can be used to enforce access control overSPARQL endpoints in a pluggable manner. In [19] theauthors extend the Shi3ld framework to cater for ac-cess control for a Linked Data Platform (LDP)16 [84].Resources refer simply to Linked Data resources thatare queries, created, modified and deleted via HTTPrequests processed by a LDP. Two alternative frame-works are presented, one which contains an embeddedSPARQL engine and a SPARQL-less solution. In thefirst scenario, Shi3ld remains unchanged. Whereas inthe second scenario, authorisations cannot contain em-bedded SPARQL queries and therefore are evaluatedusing subgraph matching. In their evaluation the au-thors compare all three frameworks, using the BillionTriple Challenge 2012 Dataset17. Based on their per-formance evaluation the authors conclude that accesscontrol over SPARQL endpoints is marginally slowerthan access control over LDP resources and that theirSPARQL-less solution exhibits a 25% faster responsetime.

4.3. Reasoning over RDF Access Control Policies

Inference is a process whereby new data is derivedfrom data which is known or assumed to be true. Sec-tion 3 discussed how deduction and abduction can be

16LDP, http://www.w3.org/2012/ldp/wiki/Main_Page

17BTC2012, http://km.aifb.kit.edu/projects/btc-2012/

used to simplify both policy specification and mainte-nance. However, inference can also be used to deduceinformation, which users should not have access to,commonly known as the inference problem. Both Thu-raisingham [91] and Nematzadeh and Pournajaf [62]highlight the need for security mechanisms to protectagainst such unauthorised inference. Although this isnot a new problem, the authors argue that with ad-vances in current data integration and mining technolo-gies, the problem is further magnified. According toQin and Atluri [69], if the semantic relationship be-tween entities is not taken into account it may be pos-sible to infer information which has been restricted, oraccess control policies may not exist for the inferredinformation making this information inaccessible.

Existing reasoning proposals focus on: (i) demon-strating how access rights can be inferred for newtriples deduced based on RDFS inference rules [41,50,65,58]; (ii) the propagation of access rights based onauthorisation subjects, access rights and resources [69,43,73,3]; (iii) proposing a flexible authorisation frame-work [53,52]; and (iv) examining use cases where itis desirable to grant access to data which has been in-ferred from unauthorised data [4].

4.3.1. RDFS InferenceWhen it comes to RDFS inference, there are two

different strands of research. The first infers accessrights for triples that are inferred using RDFS entail-ment rules [41,50]. Whereas the second uses RDFSentailment rules to propagate permissions for triplesthat already exist [65,58].

Inferring access rights for new triples. Jain andFarkas [41], demonstrate how RDFS entailment rulescan be used not only to infer new RDF triples, but alsoto infer access control annotations for those triples.The authors use RDF triple patterns and associated se-curity classifications, known as security labels, to limitaccess to RDF statements. They define a subsumptionrelationship between patterns and stipulate that sub-suming patterns must be as restrictive as the subsumedpatterns. In addition, they define a partial order be-tween security labels, which is used to determine thesecurity classification of triples inferred via RDFS en-tailment rules. If more than one pattern maps to a state-ment the most restrictive or the lowest upper boundtakes precedence. The authors provide formal defini-tions for each of the RDF security objects and definean algorithm to generate security labels for both ex-plicit and inferred triples based on a security policy

http://www.w3.org/2012/ldp/wiki/Main_Page


http://km.aifb.kit.edu/projects/btc-2012/

http://km.aifb.kit.edu/projects/btc-2012/


and a conflict resolution strategy. Limited details ofthe implementation are supplied and no evaluation isperformed.

While, Kim et al. [50] demonstrate how togetherauthorisations and RDFS inference rules can be usedto generate new authorisations as opposed to sim-ply access control annotations in the case of Jain andFarkas [41]. An authorisation is defined as a fourtuple 〈sub, obj, sign, type〉, where sub refers to theaccess control subject; obj is represented an RDFtriple pattern; act is the operation; sign indicate ifaccess is granted or denied; and type which is ei-ther R to indicate that the authorisation should bepropagated or L if it should not. The authors discusshow rdfs:subClass, rdfs:subProperty andrdf:type inference can be used to infer new autho-risation objects (triple patterns) and consequently newauthorisations. In addition, they examine the differentscenarios which might result in access to data beingboth permitted and prohibited. If the authorisation thatis prohibited is more specific than the authorisationthat is permitted based on the subclass/subproperty hi-erarchy then access should be denied. In order to de-termine if there is a conflict, only authorisations with asuperclass or superproperty that is negative need to bechecked.

Inferring and propagating access rights. Both Lopeset al. [58] and Papakonstantinou et al. [65] proposestrategies for deriving access control annotations us-ing RDFS inference policies. In the respective accesscontrol models both the triples and the correspondingannotations are represented as quads. Annotations canbe:

– directly associated with triples;– inferred using RDF inference rules;– propagated using RDF inference rules; or– assigned a default label.

The authors demonstrate how the RDFS subClass,subProperty and type inference rules can beused to assign annotations to inferred triples. How-ever, they do not dictate how the access control an-notations assigned to the premises should be com-bined, but rather propose an abstract operator whichcan be adapted to suit particular use cases. In addition,the authors demonstrate how the RDFS subClass,subProperty and type inference rules can be usedto propagate permissions to existing triples. As per in-ference rules existing annotations and propagated an-notations are inferred by means of a domain operator.

Lopes et al. [58] demonstrate how AnQL an exten-sion of the SPARQL query language can be used to en-force access control, by rewriting using the requesterscredentials to rewrite a SPARQL query to an AnQLquery. A follow-up paper [51] demonstrates how cus-tom rules can be used to support multiple access con-trol models and demonstrate how rules can be used topropagate permissions: based on hierarchies of autho-risation subjects, access rights and resources; to tripleswith the same subject; and using resource typing.

Papakonstantinou et al. [65] evaluate their proto-type over both ProgresSQL and MonetDB relationaldatabases. Based on their performance evaluation ofboth the inference and propagation rules, the authorsconcluded that more efficient storage and indexingschemes are required.

4.3.2. Propagation of AuthorisationsEarly proposals for the propagation of authori-

sations focused on reasoning over ontology con-cepts [69]. Subsequent work by Javanmardi et al.[44,43] focused not only on ontology concepts but alsoon reasoning over ontology properties and ontologyinstances. An alternative strategy which is proposed byRyutov et al. [72,73], takes a more abstract approachby propagating policies based on nodes and edges in asemantic network.

Ontological reasoning. Qin and Atluri [69], ex-tend XML based access control to take into ac-count the semantic relationships between the con-cepts that need to be protected. The authors pro-pose a Concept Level Access Control (CLAC) model,which allows for reasoning over concepts appear-ing in authorisation subjects, permissions and ob-jects. Access control policies are represented usingan OWL based vocabulary, which they call the Se-mantic Access Control Language (SACL) and datainstances are defined in domain ontologies. The au-thors use two properties SACL:higherLevelThanand SACL:lowerLevelThan to specify a par-tial order between authorisation subjects and permis-sions. The proposed access control propagation isbased on six domain independent relationships (i.e.superclass/subclass,equivalence,partof, intersection, union,complement).In the case of equivalence, partof, union andsubclass positive policies are propagated from sub-ject to object and negative policies are propagated fromobject to subject. Where there is an intersectionbetween two concepts, only negative policies are prop-


agated. In the case of complement relations neitherpositive nor negative authorisations are propagated.The authors acknowledge the need for conflict resolu-tion and simply propose a negation takes precedencehandling mechanism.

The Semantic Based Access Control Model (SBAC)proposed by Javanmardi et al. [44,43], builds on thework presented in Qin and Atluri [69], by catering foraccess control policy propagation, not only based onthe semantic relations between ontology concepts, butalso based on the relations between concepts, proper-ties and individuals. Like Qin and Atluri [69], OWLvocabularies are used to represent the authorisationsubjects, permissions and objects, however the autho-risations themselves are specified using rules. The au-thors propose the propagation of access rights basedon seven different types of inference, from:

– concept to concept (where classes are deemedrelated based on some vocabulary, for examplerdfs:subClass);

– concept to individual (where an entity is a typeof class, for example if employee is a class andJoeBloggs rdf:type employee);

– individual to individual (using properties such asowl:sameAs it is possible to propagate entitiesthat represent the same thing);

– property to concept (if access is granted to theproperty access should be granted to the classesgoverned by rdfs:domain and rdfs:range);

– property to property (where properties are deemedrelated based on some vocabulary. For examplerdfs:subProperty orowl:equivalentProperty);

– property to individual (where an entity is a typeof property, for example if roles is a property andmanager is of rdf:type role); and

– concept to property (where access is granted to aconcept it should also be granted to all propertiesrelating to that concept).

The authors describe how the aforementioned seman-tic relations can be reduced to subsumption relationsand propose a general propagation strategy for sub-sumption relations among subjects, permissions andobjects. In the case of subjects and objects, both pos-itive and negative access rights propagate from sub-sumee to subsumer. However, in the case of permis-sions positive access rights propagate from subsumeeto subsumer, while negative access right propagatefrom subsumer to subsumee.

Although an architecture is presented by Javanmardiet al. [43], very little detail on the actual enforcement

mechanism is supplied. Follow-up papers by Ehsanet al. [26] and Amini and Jalili [3] build on previ-ous work, by providing for an access control modelwith formal semantics and an enforcement framework,which is suitable for distributed semantic aware envi-ronments (for example Semantic Web, Semantic Gridand Semantic Cloud Computing). Policy rules, in boththe conceptual and individual levels, are specified us-ing a combination of deontic and description logic,which they refer to as MA(DL)2. The prototype con-sists of a user interface developed using the GoogleWeb Toolkit; a data reasoner implemented in Jena;and a tableaux reasoner implemented in Prolog. Theauthors present the results of a performance evalua-tion over increasing policy rules, where the decisionto grant or deny access is based on ground policies,inferred policies and the proposed conflict resolutionstrategy. The authors conclude that real-time reasoningis expensive. Therefore they suggest:

– using the parallelisation facilities of the tableauxsystem;

– adopting a proof based approach where the re-quester presents authorisation rules that demon-strate they can access the requested resource; and

– materialisation of inferred relations in advance.

Reasoning based on the semantic network. Ryutovet al. [72,73] propose a policy language which canbe used to specify access control in terms of the se-mantic relationships between the nodes and edges of agraph. In order to cater for policy propagation, two di-rected acyclic graphs are used to represent the relation-ship between users and groups (using a memberOfproperty) and between objects and bundles (using apartOf relation). Propagation policies are definedto allow for policy propagation based on both thepartOf and memberOf relations. The authors alsopropose safety and consistency policies that are used toprevent undesirable access control policy specificationand propagation, for example resources that nobodycan access. The authors propose a conflict resolutionalgorithm, which is based on the semantic network.When a policy explicitly refers to a node, the policydistance is zero. Whereas, when a policy is implicitlyassigned, based on a propagation policy, the distanceis determined by counting the number of nodes in thepath from the node with the explicit policy. The smallerthe distance, the more specific the policy. If multiplepolicies exist at different distances, the most specificpolicy takes precedence. If multiple explicit conflict-


ing policies exist, conflicts are resolved using logicalconjunction (i.e. if one policy grants access and an-other policy denies access then the user will be de-nied access). In the case of implicit policies, conflictsare resolved using logical disjunction (i.e. if one policygrants access and another policy denies access then theuser will be granted access).

4.3.3. Flexible Reasoning FrameworkKirrane et al. [53,52] demonstrate how authorisa-

tions based on quad patterns together with stratifiedDatalog rules can be used to enforce DAC over theRDF data model. An RDF quad pattern is an RDFquad with optionally a variable V in the subject, pred-icate, object and/or graph position. A quad pattern is aflexible mechanism which can be used to grant/restrictaccess to an RDF quad, a collection of RDF quads(multiple quads that share a common subject), a namedgraph (arbitrary views of the data), specific classes orproperties. The authors describe how the hierarchicalFlexible Authorisation Framework proposed by Jajo-dia et al. [42], which is composed of authorisations,propagation policies, conflict resolution rules and in-tegrity constraints, can be extended to cater for theRDF graph data model. They describe how togetherpattern matching and propagation rules can be usedto ease the maintenance of access control policies forlinked data sources; and show how conflict resolu-tion policies and integrity constraints can ensure accesscontrol policy integrity. Propagation policies can beused to simplify authorisation administration by allow-ing for the derivation of implicit authorisations fromexplicit ones. Rather than propose a conflict resolu-tion strategy the authors provide a formal definitionfor a conflict resolution rule that can be used to de-termine access given several different conflict resolu-tion strategies. For example conflict resolution policiesbased on the structure of the graph data system com-ponents; the sensitivity of the data requested; or con-textual conditions pertaining to the requester. Integrityconstraints are used to restrict authorisation creationbased on the existing relationships between SPARQLoperations and RDF data items. For example, INSERTand DELETE can only be applied to an RDF quadwhereas DROP, CREATE, COPY, MOVE and ADD canonly be associated with a named graph. As per conflictresolution the authors provide a formal definition of anintegrity constraint and demonstrate how rules can beused to ensure that only valid authorisation and propa-gation policies can be specified.

4.3.4. Safe ReasoningWhen it comes to reasoning over restricted data,

there is a general consensus that any information thatcan be inferred from restricted data should also be re-stricted. An alternative viewpoint is presented by Baoet al. [4]. The authors focuses on a number of use caseswhere it is desirable to grant access to information thathas been inferred from restricted data:

(i) a calendar showing the existence of an appoint-ment without revealing specifics;

(ii) a booking engine sharing partial hotel details; and(iii) a pharmacy confirming that the patients drugs are

reimbursable without disclosing details.

The open world assumption is used to ensure that userscannot distinguish between information which doesnot exist and information with is inaccessible. The au-thors stipulate that, the knowledge base should not lie,the answers given should be independent of any pre-vious answers and it should not be possible to inferany restricted data. The authors propose a safe reason-ing strategy is based on the notion of conservative ex-tension. Essentially the reasoner keeps a history of theanswers to all previous queries. For each subsequentquery, the history is consulted, in order to verify thatunauthorised information cannot be inferred by the re-quester.

4.4. Partial Query Results

A number of the access control mechanisms forRDF data that have been presented, demonstrate howtheir access control can be enforced on top of SPARQLqueries. However, the solutions examined thus far ei-ther grant or deny access to the entire query. This sec-tion examines how data filtering [25,60] and queryrewriting [1,32,14,64,17] can be used to return partialquery results when access to some of the results is re-stricted by an access control policy.

4.4.1. Data FilteringDietzold and Auer [25] examine access control re-

quirements for an RDF store from a semantic wikiperspective. The authors propose access control policyspecification at multiple levels of granularity (triples,classes and properties). In addition, they define threeatomic actions (read, insert and delete) forboth individual triples and sets of triples. Authorisa-tions are used to generate a virtual model of the data,upon which user queries are executed. Authorisationsare used to associate filters (SPARQL CONSTRUCTqueries) with users and resources. When a requester


submits a query, a virtual model is created based on thematched authorisations. The query is executed againstthe virtual model, which only contains data the re-quester is authorised to access. Gabillon and Letouzey[33] also describe how RDF data can be logically or-ganised into views using SPARQL CONSTRUCT andDESCRIBE queries.

Mühleisen et al. [60] describe a Policy-enabledLinked Data Server (PeLDS), which uses WebID toauthenticate users. The policy language caters for thespecification of access control policies for particulartriple patterns, resources or instances, using SWRLrules. An OWL ontology is used to identify the ruletypes (single concept and triple pattern)and supported actions query and update. Negationis not supported in the presented modelling. When arequester submits a query, the system uses their WebIDto determine the data instances that the user has beengranted access to and generates a temporary namedgraph containing authorised data. The requesters queryis subsequently executed against the temporary namedgraph and the results are returned to the user.

4.4.2. Query RewritingExisting query rewriting strategies involve: limiting

the query to a specific named graph [17]; rewriting aview so that it considers propagation rules and bothinstance and range restrictions [57]; and creating bind-ings for variables and adding them to the query WHEREclause [1,32,14,64].

Named graph added to the query. Costabello et al.[17] restrict access to named graphs using queryrewriting. An access control policy is a tuple:〈ACS,AP, S,R,AEC〉, where ACS is a set of accessconditions (specified using SPARQL ASK queries); APis a set of access privileges (CREATE, READ, UPDATEor DELETE); S denotes the subjects to be protected; Rrepresents the named graphs to be protected; and AECis the evaluation context specified using name valuepairs (verified using SPARQL BINDINGS). In addi-tion to the SPARQL query that the user wishes to ex-ecute, the user provides their access credentials, in theform of a SPARQL UPDATE query, which containscontextual data. The enforcement framework stores thecontextual data in a named graph and retrieves the au-thorisations that match the query type. In order to de-termine if access is permitted, the ASK query and theBINDINGS, that are specified in the authorisation, areexecuted against the users contextual graph. If the ASKquery returns true then the query is rewritten to include

the corresponding named graph.

Expanding views based on propagation rules andinstance and range restrictions. Li and Cheung [57]propose a query rewriting strategy for views generatedfrom ontological relations. An access control policyis defined as a tuple 〈s, v, sign〉, where s denotes thesubject, v represents a set of concepts, relations andfilters and sign is used to indicate permissions and pro-hibitions. Both views and queries that are also gen-erated from sets of concepts, relations and filters arerepresented using rules. Propagation policies are usedto generate implicit authorisations from explicit au-thorisations, based on subsumption relations betweenaccess control subjects and subsumption relations be-tween concepts, appearing in the body of the view. Theproposed query rewriting strategy involves: (i) retriev-ing the policies applicable to the subject, taking intoaccount the subject propagation rules; (ii) expandingeach of the concepts in the body of the view based onthe concept propagation policies; and (iii) applying therelevant range and instance restrictions to the querybased on the expanded view.

Adding bindings to the query. Abel et al. [1] proposea combined approach to access control enforcement.Contextual conditions that are not dependent on RDFdata are evaluated by a policy engine. Whereas thequery is expanded to include the contextual conditionsthat are dependent on RDF data. Such an approach re-quires the substitution of variables to ensure unique-ness, however in doing so they are able to leverage thehighly optimized query evaluation features of the RDFstore. In the presented modelling, both positive andnegative authorisations are composed of sets of contex-tual predicates, path expressions and boolean expres-sions. Queries are assumed to have the following struc-ture SELECT/CONSTRUCT RF FROM PE WHEREBE, where RF represents the result form (projectionsin the case of SELECT queries and triples in the caseof CONSTRUCT queries); PE denotes the path expres-sion; and BE corresponds to one ore more boolean ex-pressions connected via conjunction or disjunction op-erators. An authorisation is deemed applicable if thetriple pattern the policy is protecting, is part of eitherthe PE or the BE, and the corresponding contextualpredicates, path expressions and boolean expressionsare satisfied. The authors propose a query rewriting al-gorithm, which constructs bindings for authorisationpath expressions and contextual predicates. For pos-itive authorisations the bindings are appended to the


query WHERE clause. Whereas, for negative authorisa-tions the bindings are added to a MINUS clause, whichin turn is appended to the query. The authors concludethat the proposed rewriting strategy, which was eval-uated over a Sesame database, increases linearly withadditional WHERE clauses.

Franzoni et al. [32] propose a query rewriting strat-egy, which is used to grant/deny access to ontology in-stances. The authors rewrite queries to take into ac-count contextual information, pertaining to the useror the environment. A fine grained access control(FGAC) policy is defined as a tuple:〈target, 〈property, attribute, operator〉〉 where:

– target is the resource that the policy relates to;– property is a path expression, which either di-

rectly or indirectly relates to the target;– attribute is the user attributes, that are bound to

the path expression variables; and– operator is the filter condition.

The authors propose a two tiered approach to accesscontrol enforcement. Access control policies are usedto determine if access should be granted or denied.FGAC policies are only applied if access is granted. Ifthe query contains one ore more FGAC policy targets,the query is rewritten to include the path expressionand a WHERE clause, which is composed of an expres-sion generated from the variables in the path expres-sion, the attributes of the requester and the operator.

Chen and Stuckenschmidt [14] present a queryrewriting strategy, which can be used to restrict accessto data represented using ontologies. The authors fo-cus on restricting access to instance data. Access con-trol policies are used to deny access to specific indi-viduals or to grant/deny access to instances associatedwith a given class or property. When access is prohib-ited to specific individuals, a FILTER expression isgenerated, which ensures that none of the query vari-ables bind to the prohibited individuals. When accessis granted to predicates or classes, a FILTER expres-sion is generated, which binds the relevant variables inthe query to the specified predicate or class. Whereas,when access is prohibited to predicates or classes, thematching triple patterns are made OPTIONAL and aFILTER expression is generated, which ensures thatthe corresponding variables do not bind to the speci-fied predicate or class, and variables that are !BOUNDare not returned.

Oulmakhzoune et al. [64] propose a query rewrit-ing strategy for SPARQL queries. In the presentedmodelling, both positive and negative authorisations

are composed of sets of filters that are associatedwith simple conditions or involved conditions. Given aSPARQL query the algorithm examines each individ-ual basic graph pattern (BGP). In the case of simpleconditions, when authorisations permit/deny access toa single triple pattern, the following query rewritingstrategy is applied: If all authorisations that match thetriple pattern, permit access to the triple pattern, no ac-tion is required; If all authorisations prohibit access tothe triple pattern, the triple pattern is deleted; Other-wise, if the BGP is converted to an OPTIONAL BGP,and the authorisation FILTER expression is added tothe query. In the case of involved conditions, where au-thorisations permit/deny access for a given predicate,the following query rewriting strategy is applied: Forpositive authorisations, if the query contains a triplepattern which matches the predicate of the authori-sation, the FILTER condition is added. Alternativelyboth the triple pattern and the corresponding FILTERare added; For negative authorisations, if the querycontains a triple pattern which matches the predicateof the authorisation, and the object is a variable, boththe FILTER condition and a !BOUND expression areadded; Alternatively the triple pattern, the correspond-ing FILTER condition and a !BOUND expression areadded.

5. Access Control Requirements for Linked Data

More recently, the focus has shifted to the specifi-cation and enforcement of access control over LinkedData. Costabello et al. [19], Sacco et al. [77] andKirrane et al. [52] describe how their policy lan-guages and frameworks can be used in conjunctionwith Linked Data, and Steyskal and Polleres [86] dis-cuss how ODRL can be used to specify access poli-cies for Linked Data. However, any of the access con-trol mechanisms examined thus far could potentiallybe used (albeit to a lesser or greater extent) to enforceaccess control over Linked Data.

This section provides a summary of existing require-ments for RDF data, and uses these requirements tocategorise existing access control strategies that havebeen proposed for RDF. As the work presented in Sec-tion 2 focused on extending existing access controlmodels and standards as opposed to enforcing accesscontrol over RDF, the analysis is limited to the policylanguages presented in Section 3 and the different ac-cess control strategies described in Section 4.


The requirements presented below are derived fromseveral papers that examine access control for RDFfrom a number of perspectives. Yagüe del Valle et al.[104] examine the different layers of the Semantic Weband how the technologies and concepts can be ap-plied to access control. Both Damiani et al. [22] andWeitzner et al. [102] focus on the access control mech-anisms that are required to support new access controlparadigms where user privacy is a key requirement. DeCoi et al. [23] and Bonatti and Olmedilla [8] inves-tigate the interplay between trust, access control andpolicy languages. While, Ryutov et al. [73] focus moreon the data model, investigating access control require-ments from a graph perspective, as opposed to the tra-ditional hierarchical approach. We also consider theset of access control guidelines devised by the W3CLinked Data Platform Working Group (LDP)18 [90].

Although it would also be interesting to examinethe access control requirements arising from emergingLinked Data access strategies (e.g. Linked Data Frag-ments) and novel languages for navigating and con-suming triples on the Web (e.g. nSPARQL), as thesetechnologies are still evolving such an investigation isleft to future work.

To ease referenceability the access control require-ments are categorised under the headings specification,enforcement, administration and implementation.

5.1. Specification

Generally speaking, access control policy specifica-tion requirements relate to the types of policies thatcan be expressed, and the interoperability of the cho-sen representation format. An overview of each of therequirements relating to access control specification ispresented below and a summary of existing proposalsis depicted in Table 5 and the corresponding timelineis represented in Figure 3. . One requirement, whichwas not included is monotonicity. According to Bon-atti and Olmedilla [8], the addition of new evidencesand policies should not negate any of the previous con-clusions. However, given that access control policiesmay depend on information that can change, for ex-ample a change in user context or the removal of auser from a role, it should be possible to update theknowledge base. Therefore, depending on access con-trol model/requirements one could argue that accesscontrol should in fact be non-monotonic.

18LDP, http://www.w3.org/2012/ldp/wiki/Main_Page

Granularity [73,3,90]. The W3C Linked Data Plat-form Working Group [90] identify the need to cater forfine grained access control that supports different lev-els of granularity ( document, named graphs, triples, orindividual attributes). Ryutov et al. [73] adopt a graphperspective, stating that it should be possible to spec-ify access control rules for nodes (entities) and edges(semantic relationships between entities). Whereas,Amini and Jalili [3] adopt an ontological view, stat-ing that it is necessary to specify policies for bothontology concepts and individuals. Existing accesscontrol strategies for RDF, resources are specified atseveral different levels of granularity. Namely, triples[25,65,75], named graphs [18,33,75], views [57], triplepatterns [41,50,60,70], quad patterns [52], graph pat-terns with filters [1,14] and graph patterns without fil-ters [31], classes and properties [25], ontology con-cepts [4,8,3,26,43,47,56,64,69,75,93,95,86], ontologyindividuals [3,26,32,43,75] and graph nodes and edges[73]. In the vast majority of cases, access is eithergranted or denied. However, a number of researchershave investigated returning partial query results to therequester. Such strategies either involve dataset fil-tering [25,60] or rewriting the query using either fil-ters [1,14,31,32,60,52] or named graphs [18]. In Table5 the granularity of the authorisations and the differ-ent strategies used to cater for partial query results arerepresented as Granularity and Partial Results respec-tively.

Underlying Formalism [23,3,8]. Access control lan-guages should be based on formal semantics, as it de-couples the meaning of the policies from the actual im-plementation. The majority of researchers either adoptformalisms based on logic programming [8,47,93,86]or different flavors of description logic [3,4,14,43,56,93,95]. Kagal et al. [47] demonstrate how logic pro-gramming can be combined with deontic logic, Kir-rane et al. [52] adopt a DATALOG formalism, Aminiand Jalili [3] demonstrate how description logic can becombined with deontic logic, Kolovski et al. [56] com-bine description logic and defeasible logic and Ryutovet al. [73] adopt a many sorted first order logic formal-ism.

Reasoning [22,73,3]. It should be possible to prop-agate policies based on the semantic relations be-tween authorisation subjects, objects and access rights.Using ontologies, rules or a combination of both, itis possible to perform deductive reasoning and ab-




Table 5Specification requirements - A=attributes, C=context, O=obligation, P=permission

Granularity PartialResults

UnderlyingFormalism

Reasoning ConditionExpr.

Evidences Interoperability

Abel et al. [1] graph patterns& filters

bindings& filters

- - P± C RDF & SeRQL& SPARQL

Amini and Jalili [3]Ehsan et al. [26]

concepts &individuals

- DL &deontic logic

deduction &abduction

P± O± A & C OWL

Bao et al. [4] ontologyconcepts

- DL SHIQ privacypreserving

- - OWL

Bonatti et al. [10]Bonatti and Olmedilla [7,8]

ontologyconcepts

- LP deduction &abduction

P± A & C &OpenID

RDF

Chen and Stuckenschmidt [14] graph patterns& filters

bindings& filters

DL deduction &abduction

P± - OWL &SPARQL

Villata et al. [100]Costabello et al. [17,18,19,20]

named graphs named graphs - - P± A & C &WebID

RDF &SPARQL

Dietzold and Auer [25] triples, classes& properties

datafiltering

- - P+ - RDF

Flouris et al. [31] graph patterns bindings& filters

- - P± - RDF &SPARQL

Franzoni et al. [32] ontologyindividuals

bindings& filters

- RDFSentailment

P± A & C RDFS &SPARQL

Gabillon and Letouzey [33] named graph& views

- - - P± A & C RDF &SPARQL

Jain and Farkas [41] triple patterns - - RDFSentailment

P± - RDF(S)

Javanmardi et al. [43] concepts &individuals

- DL SHOIN subsumption P± - OWL

Kagal et al. [47]Kagal et al. [48,49]Kagal and Berners-lee [46]Denker et al. [24]

ontologyconcepts

- LP deduction &abduction

P± O± A & C OWL

Kodali et al. [54]

Kim et al. [50] triple pattern - - RDFSentailment

P± - RDF(S)

Kirrane et al. [51,53,52]Lopes et al. [58]

quad patterns SPARQLqueries &updates

DATALOG flexibleframework

P± A &WebID

RDF(S) &SPARQL &RDB2RDF

Kolovski et al. [56] ontologyconcepts

- DL SHOIN &defeasiblelogic

deduction &abduction

P± A OWL

Li and Cheung [57] views propagation - - P± - RDFMühleisen et al. [60] triple patterns data filtering - deduction &

abductionP+ WebID &

OpenIDOWL

Oulmakhzoune et al. [64] ontologyconcepts

bindings& filters

- - P± - RDF &SPARQL

Papakonstantinou et al. [65] triples - - RDFSentailment

P± C RDF(S)& SPARQL

Qin and Atluri [69] concept - - ontologyconceptrelations

P± - RDF

Reddivari et al. [70] triple patterns - - RDFSentailment

P± A RDF(S)

Ryutov et al. [72,73] nodes & edges - many sortedfirst orderlogic

subject &objectsubsumption

P± A RDF

Sacco et al. [77,78]Sacco and Passant [76]Sacco and Breslin [74]

resource,triple & graph

- - - P± A & C &WebID &OpenID

RDF &SPARQL

Steyskal and Polleres [86,87] ontologyconcepts

- LP subsumption& composi-tion

P± O± A ODRL &RDF &SPARQL

Toninelli et al. [92,93] ontologyconcepts

- DL & LP deduction &abduction

P± O± A & C OWL

Uszok et al.[95,96,97,99,98,94]Bradshaw et al. [11,12]Johnson et al. [45]Suri et al. [89]

ontologyconcepts

- DL deduction &abduction

P± O± C OWL


Fig. 3. Access Control Specification

2002 2004 2006 2008 2010 2012 2014

Granularity

Partial Results

Formalism

Reasoning

Condition Expr.

Evidences

Interoperability

ontology concepts[6

9][95][4

7]

patterns[7

0]

patterns[4

1], ontologgy concepts[4

3][25]

ontology concepts[4

][56][3

2], patterns[1

]

patterns[5

0], views[5

7]

nodes& edges[

73], ontology concepts[9

3][8], patte

rns[14]

ontology concepts[3

][64], patte

rns[31][6

0], graphs & view

s[33]

resource

s, triples

& graphs[7

5]

named

graphs[1

8], triples

[65]

patterns[5

2]

ontology concepts[8

6]

datafilter

ing[25]

bindings & filters[1

][32]


4]


1], datafilter

ing[60]

named

graphs[1

8]


2]

logic programming

& deonticlogic[

47]

DL[43]

DL [4][56] & defe

asible logic[

56]

logic programming[8][9

3], DL[93][14]

DL & deonticlogic[

3]

DATALOG[52]

logic programming[86]

deduction & abductio

n[47][95],

RDFS entailment[6

9]

RDFS entailment[7

0]

subsumption[43], RDFS entail

ment[41]

privacy

preserv

ing[4], deduction & abductio

n[56], RDFS entailment[3

2]

RDFS entailment[5

0]


n[8][93][1

4],subsumptio

n[73]


n[3][60]

flexible framew

ork[52]

subsumption [86]

permiss

ions±[69][9

5][47],

obligatio

ns±[95][4

7]

permiss

ions±[70]

permiss

ions±[41],[4

3][25]

permiss

ions±[56][3

2][1]

permiss

ions±[50][5

7]

permiss

ions±[73][9

3][8][1

4], obligatio

ns±[93]

permiss

ions±[3][6

4][31][6

0][33], oblig

ations±

[3]

permiss

ions±[75]

permiss

ions±[18][6

5]

permiss

ions±[52]

permiss

ions±[86], oblig

ations±

[86]

attributes

[47]contex

t[95][4

7]

attributes

[70]

attributes

[32], context[1

][32]

attributes

[73][93][8

], context[9

3][8], OpenID

[8]

attributes

[3][33], contex

t[3][3

3], WebID& OpenID

[60]

attributes

[75], context[7

5], WebID& OpenID

[75]

attributes

[18], context[1

8][65], WebID

[18]

attributes

[52], WebID[52]

attributes

[86]

RDF[69], OWL[95][47]

RDF(S)[70]

RDF[25], RDF(S)[41], OWL[43]

RDFS[32][1], OWL[4][5

6], SPARQL[32][1], SeR

QL[1]

RDF[57], RDF(S)[50]

RDF[73][8], OWL[93][1

4], SPARQL[14]

RDF[64][31][3

3], OWL[3][60], SPARQL[64][3

1][33]

RDF[75], SPARQL[75]

RDF[18], RDF(S)[65], SPARQL[18][6

5]

RDF(S)[52], SPARQL[52], RDB2RDF[52]

RDF[86], SPARQL[86], ODRL[86]

Publication Year

Acc

ess

Con

trol

Spec

ifica

tion


ductive reasoning over access control policies [3,8,14,47,56,60,93,95]. In addition, a number of au-thors have proposed propagation strategies based onRDFS entailment [32,41,50,69,70] and hierarchies,partial orders or ontological relations between RDFresources [43,65,73,86]. Kirrane et al. [52] propose aflexible authorisation framework which can be usedto specify declarative authorisations, propagation poli-cies, integrity constraints and conflict resolution rules.Unlike the other authors, who use reasoning to eitherinfer or to propagate access control policies, Bao et al.[4] demonstrates how it is possible to reason over re-stricted data without releasing any restricted informa-tion. However, the interplay between the various rea-soning strategies proposed, and the access control re-quirements arising from concrete use cases remains anopen issue.

Condition Expressiveness [23,8]. When it comes toaccess control, it should be feasible to specify condi-tions under which a request will be permitted or pro-hibited. The majority of the access control strategiesthat were examined support both authorisations andobligations. However, ODRL [86] and the general pol-icy languages [3,47,93,95] also catered for obligationand dispensation policies.

Evidences [22,23,8,3,90]. According to The W3CLinked Data Platform Working Group [90] to shouldbe possible to authenticate a subject (otherwise knownas an agent) with an identifier or as the owner of a to-ken. However, as the requester may be unknown to thesystem prior to submitting a request, access should bebased on properties pertaining to the requester, com-monly know as attributes, instead of traditional iden-tities [3,8,18,32,33,47,52,56,70,73,75,93]. It shouldalso be feasible to dynamically activate policies basedon context [1,3,8,18,32,33,47,65,75,93,95,86]. Con-text can relate to the requester, the system or the en-vironment. Attributes and context should be commu-nicated by means of digital certificates, known as ev-idences. The de facto standard for submitting evi-dences is WebID [60,18,52,75]. However, a numberof researchers have also proposed using OpenID19

[8,60,75]. According to Inkster et al. [40] althoughboth WebID and OpenID serve the same purpose, We-bID has a number of benefits over OpenID. For exam-ple WebID is simpler to use as a User Agent remem-

19OpenID,http://openid.net/bers the URI on behalf of the user, the establishing

of identity is easy, WebID is truly decentralized andWebID is fully distributed. For additional details thereader is referred to the detailed comparison presentedin Inkster et al. [40].

Interoperability [104]. Access control for open dis-tributed environments, such as the web, needs to beable to support a wide variety of disparate policies, re-sources and users. One of the primary goals of stan-dardisation is to maximize interoperability. As eachof the access control strategies examined use openstandards, such as RDF, RDFS, OWL and SPARQL,regardless of the specific use case they are suitablefor access control over Linked Data. Using ontolo-gies it is possible to specify access control vocab-ularies that can easily be adopted by others. In ad-dition, OWL predicates such as owl:sameAs andowl:disjointFrom can be used to merge differentaccess control vocabularies.

5.2. Enforcement

Access control enforcement requirements refer toconstraints that are placed on the policy language ormechanisms that assist the requester to complete theirrequest. An overview of the requirements is presentedbelow and a snapshot of existing support for said re-quirements is presented in Table 6 and the correspond-ing timeline is represented in Figure 4.

Information & Negotiation [22,23,8,90]. In other toprotect user privacy, it should be possible for both theservice provider and the requester to define policesand exchange credentials until and agreement has beenreached. The W3C Linked Data Platform WorkingGroup [90] indicate that service providers should de-scribe access control policies for a given resource anduser agents should be able to find the policies associ-ated with a resource. The process is commonly knownas negotiation. The P3P recommendation and the AP-PEL vocabulary have been designed to support auto-matic negotiation between clients and servers. The ac-cess control mechanisms proposed by Amini and Jalili[3], Bonatti and Olmedilla [8] and Toninelli et al. [93]all cater for access control negotiation.

Explanations [23,8,90]. According to De Coi et al.[23], Bonatti and Olmedilla [8], The W3C LinkedData Platform Working Group [90], service providersshould provide explanations why access was not al-


Table 6Enforcement requirements

Information &Negotiation

Explanation ConflictResolution

Abel et al. [1] - - defaultAmini and Jalili [3]Ehsan et al. [26]

bidirectionalpolicies

- algorithm

Bao et al. [4] - - algorithmBonatti et al. [10]Bonatti and Olmedilla [7,8]

bidirectionalpolicies

metarules & queries -

Chen and Stuckenschmidt [14] - - -Villata et al. [100]Costabello et al. [17,18,19,20]

- - default

Dietzold and Auer [25] - - -Flouris et al. [31] - - defaultFranzoni et al. [32] - - -Gabillon and Letouzey [33] - - defaultJain and Farkas [41] - - algorithmJavanmardi et al. [43] - - algorithmKagal et al. [47]Kagal et al. [48,49]Kagal and Berners-lee [46]Denker et al. [24]

- - metapolicies

Kim et al. [50] - - algorithmKirrane et al. [51,53,52]Lopes et al. [58]

- - flexibleframework

Kolovski et al. [56] - - prioritiesLi and Cheung [57] - - harmonisationMühleisen et al. [60] - - -Oulmakhzoune et al. [64] - - -Papakonstantinou et al. [65] - - defaultQin and Atluri [69] - - defaultReddivari et al. [70] - - meta

policiesRyutov et al. [72,73] - user

interfacealgorithm


- - -

Toninelli et al. [92,93] bidirectionalpolicies

descriptions harmonisation

Steyskal and Polleres [86,87] - - defaultUszok et al. [95,96,97,99,98,94]Bradshaw et al. [11,12]Johnson et al. [45]Suri et al. [89]

- - harmonisation

lowed. Rather than simply granting or denying access,the policy should also provide details of how the deci-sion was reached. Such explanations would be of bene-fit to both the requester and the policy owner, making iteasier for the requester to understand what is requiredof them and for the policy owner to troubleshoot poten-tial problems. Bonatti and Olmedilla [8], Ryutov et al.[73] and Toninelli et al. [93] all provide policy expla-nations. However, both Ryutov et al. [73] and Bonattiand Olmedilla [8] provide a means to execute queriesover policies in order to obtain additional information.It it worth noting that explanations should be used withcare as such information could in fact weaken the se-curity of the policy.

Conflict Resolution [3]. Conflicts between both ex-plicit and implicit policies should be resolved au-tomatically. A number of different conflict resolu-tion strategies have been proposed. In the event ofa conflict some authors simply default to grant/-deny [1,18,31,33,65,69,86], use priorities to deter-mine dominance [56] or use metapolicies as a flexi-ble means to resolve conflicts [47,70]. A number ofauthors propose conflict resolution algorithms basedon several different measures [3,4,41,43,50,73]. Kir-rane et al. [52] suggest a general syntax, which can beused to specify declarative conflict resolution policies.Whereas, others try to isolate individual data itemsthat are in conflict and propose harmonisation strate-gies [57,93,95].


Fig. 4. Access Control Enforcement

2002 2004 2006 2008 2010 2012 2014 2016

Negotiation

Explanations

Conflict Resolution

bidirectio

nal policies[

8][93]

bidirectio

nal policies[

3]

metarules

& queries[

8],

interfac

e[93],

descrip

tions[7

3]

default[6

9],

harmonisa

tion[95],

metapolici

es[47]

metapolici

es[70]

algorith

m[41][43]

algorith

m[4], harmonisa

tion[56], defa

ult[1]

algorith

m[50], harmonisa

tion[57]

algorith

m[73], harmonisa

tion[93]

algorith

m[3], default[3

1][33]

default[1

8][65]

flexible framew

ork[52]

default[8

6]

Publication Year

Acc

ess

Con

trol

Enf

orce

men

t

Fig. 5. Access Control Administration

2002 2004 2006 2008 2010 2012 2014

Delegation

Consistency & Safety

Usability

Understandability

speach act

s[47]

language[8

]

case stu

dy[3], queries[

33]

DAC[52]

algorith

m[41]

algorith

m[4], analysis

service

s[56]

metapolici

es[14][7

3]

algorith

m[3]

metapolici

es[52]

admin tool[95]

admin module[41]

editor[7

3]

manager[75]

manager[20]

policydisc

losure[95]

analysis

service

s[56]

ProtuneXexplan

ations[8

],

permiss

ion check[73]

Publication Year

Acc

ess

Con

trol

Adm

inis

trat

ion

5.3. Administration

This section presents a number of access control re-quirements that are necessary to simplify the specifi-cation and maintenance of access control policies. Anoverview of the requirements is presented below and asummary of current support is presented in Table 7 and

the corresponding timeline is represented in Figure 5.Although a number of researchers indicate that theyprovide some level of support for these requirements,generally speaking research efforts seem to focus moreon the specification and enforcement mechanisms, andvery little detail is supplied.


Table 7Administration requirements

Delegation Consistency& Safety

Usability Understandability

Abel et al. [1] - - - -Amini and Jalili [3]Ehsan et al. [26]

case study algorithm - -

Bao et al. [4] - algorithm - -Bonatti et al. [10]Bonatti and Olmedilla [7,8]

language - - ProtuneXexplanation

Chen and Stuckenschmidt [14] - metapolicies

- -

Villata et al. [100]Costabello et al. [17,18,19,20]

- - policy managerweb app

-

Dietzold and Auer [25] - - - -Flouris et al. [31] - - - -Franzoni et al. [32] - - - -Gabillon and Letouzey [33] construct &

describe queries- - -

Jain and Farkas [41] - algorithm RACL adminmodule

-

Javanmardi et al. [43] - - - -Kagal et al. [47]Kagal et al. [48,49]Kagal and Berners-lee [46]Denker et al. [24]

speech acts - - -

Kim et al. [50] - - - -Kirrane et al. [51,53,52]Lopes et al. [58]

DAC flexibleframework

- -

Kolovski et al. [56] - analysisservices

- analysisservices

Li and Cheung [57] - - - -Mühleisen et al. [60] - - - -Oulmakhzoune et al. [64] - - - -Papakonstantinou et al. [65] - - - -Qin and Atluri [69] - - - -Reddivari et al. [70] - - - -Ryutov et al. [72,73] - meta

policiesRAW policyeditor

RAWpermission check


- - privacypreferencemanager

-

Steyskal and Polleres [86,87] - - - -Toninelli et al. [92,93] - - - -Bradshaw et al. [11,12]Uszok et al. [95,96,97,99,98,94]Johnson et al. [45]Suri et al. [89]

- - KAoS policyadmin tool

policydisclosure

Delegation [8]. It should be feasible to temporar-ily transfer access rights to other users. In relationaldatabases, users are granted sole ownership of the ta-bles and views that they create. They can subsequentlygrant access rights to other database users. Amini andJalili [3], Bonatti and Olmedilla [8], Gabillon andLetouzey [33] and Kagal et al. [47] indicate that theysupport the delegation of access rights. Kirrane et al.[52] demonstrate how the discretionary access controlmodel can be used to guide access control specifica-tion and administration. However, the suitability of ex-isting revocations strategies, for the RDF graph model,warrants further research.

Consistency & Safety [73]. In order to ensure the ac-cess control system is complete and accurate, inser-tion and deletion of policies should be controlled. Itshould not be possible to elevate your own privilegesor to assign permissions that would make data inacces-sible to everyone. Although a number of researchersindicate that their frameworks support consistency andsafety constraints, very little information is provided.Kolovski et al. [56], Amini and Jalili [3], Bao et al.[4] and Jain and Farkas [41] ensure consistency andsafety as part of their administration algorithms. Chenand Stuckenschmidt [14] and Ryutov et al. [73] sug-gest that metapolicies can be used to ensure consis-


tency and safety. Kirrane et al. [52] propose a generalsyntax for integrity constraints, which can be used tospecify declarative constraints. Given the diversity ofaccess control models, policies and reasoning strate-gies that have been proposed for RDF, additional re-search is required in order to determine potential is-sues with access control policies and propose suitablehandling mechanisms.

Usability [22,3]. The specification and the mainte-nance of access control policies should be as sim-ple as possible. Administration facilities that sup-port ease of both specification and maintenance ofpolicies have been provided by a number of re-searchers [41,73,76,95,20]. Jain and Farkas [41] pro-vide a screenshot of their RACL admin tool, how-ever no explicit details are provided with respect to thefunctionality. According to Costabello et al. [20], Us-zok et al. [95], Ryutov et al. [73], Sacco and Pas-sant [76] their policy managers proposed by enableadministrators to create, edit and deleting access con-trol policies. However, it is not clear how usable theseinterfaces are when it comes to the administration ofcomplex policies over large datasets. Given the com-plexity associated with reasoning over graph data, ad-vanced data analytics and visualisation techniques areneeded to highlight the effects of advanced policies,constraints and deduction rules.

Understandability [73,3]. It should be easy to un-derstand the interplay between policies. Only a hand-ful of researchers associate policy explanations withpolicies. Similarly, only a select few provide systemsthat enable administrators to verify the interplay be-tween policies [8,56,73,95]. Given the dynamic natureof context based access control and the various deduc-tion and propagation strategies, further research on au-tomating the explanations and presenting the results ina manner which is digestible by humans is necessary.

20Protune,http://rewerse.net/I2/software.html21Protune-x,http://cs.na.infn.it/rewerse/demos/protune-x/demo-

protune-x.html22S4AC,http://ns.inria.fr/s4ac/v1#23Shi3ld, http://wimmics.inria.fr/projects/shi3ld/24Rein, http://dig.csail.mit.edu/Rein/25GFAF,http://gfaf.sabrinakirrane.com/26PPO, http://vocab.deri.ie/ppo27PPM,http://vmuss13.deri.ie/ppmv2/28Proteus, http://lia.deis.unibo.it/research/Proteus/29KAoS framework, http://ontology.ihmc.us/kaos.html

5.4. Implementation

Implementation requirements generally refer tonon-functional requirements. As with any softwaresystem, non-functional requirements hold the key tothe adoption of a tool or technology. Although a num-ber of authors indicate that the solutions they proposeare flexible or extensible, seldom do researchers eval-uate these claims. Table 8 and the corresponding time-line is represented in Figure 6 provide an overviewof the technologies adopted and indicates the evalua-tions performed. Where applicable a link to the ontol-ogy, framework, dataset or demo is provided under theheading ’Available Resources’.

Effectiveness [73]. In order to work in practice, ac-cess control enforcement and administration needs tobe efficient. A number of authors have presented per-formance evaluations of their access control enforce-ment [3,18,33,52,60,70,78], query rewriting [1], anno-tation [31] , explanation [8] or reasoning [43,52,56,65]algorithms. In general, the authors reported a linear in-crease in performance over increasing policies. Both[43,56] highlight the fact that reasoning can be expen-sive and consequently only allowing subsumption re-lation between ontology concepts. The most compre-hensive evaluation is performed by [8]. The authorsautomatically generate policies for both real and artifi-cial scenarios in order to evaluate the performance oftheir explanation and negotiation modules. In addition,they discuss the expressiveness of the Protune policylanguage. However, there is still no clear access con-trol benchmark, that can be used to compare differentapproaches in terms of policy enforcement and admin-istration. One suggestion would be to build a set of ac-cess control scenarios and extend the BSBM datasetgenerator to cater for solution benchmarking (i.e. autogenerate access control policies and constraints overincreasing datasets).

Distributed [3]. In order to ensure scalability, it shouldbe possible to cater for the distributed specification andenforcement of access control policies. A number ofresearchers have examined how their proposed solu-tion can be applied to use cases requiring distributedaccess control mechanisms. Amini and Jalili [3] de-scribe a case study on distributed semantic digital li-brary. Bonatti and Olmedilla [8] and Mühleisen et al.[60] developed demos in order to demonstrate howtheir policy languages can be used in a distributed set-ting. Whereas, the access control languages and en-


Table 8Implementation requirements

Effectiveness DistributedUse case

Flexibility &Extensibility

Available Resources

Abel et al. [1] query rewritingperformance

- SeRQL, Protune

Amini and Jalili [3]Ehsan et al. [26]

enforcementperformance

case study Prolog, GWT,Jena, JIP, Protege

Bao et al. [4] - - -Bonatti et al. [10]Bonatti and Olmedilla [7,8]

explanation performance demo Java, TuProlog Protune Framework20,Protune-x Demo21

Chen and Stuckenschmidt [14] JenaVillata et al. [100]Costabello et al. [17,18,19,20]

enforcement performanceBSBM & BTC datasets

mobile usecase & demo

Java, Jena Fuseki,Corese-KGRAM

S4AC Ontology22,Shi3ld demo23

Dietzold and Auer [25] - - RDF, SPARQLFlouris et al. [31] annotation reasoning

performance- Java, Jena,

Sesame, ProgressFranzoni et al. [32] - - Java, SeRQL, SesameGabillon and Letouzey [33] enforcement performance - Java, Tomcat,

SesameJain and Farkas [41] - - Java, Jena, JessJavanmardi et al. [43] policy reasoning - PELLET, SWRLKagal et al. [47]Kagal et al. [48,49]Kagal and Berners-lee [46]Denker et al. [24]

- use cases Java, Prolog Rein framework24

Kim et al. [50] - - -Kirrane et al. [51,53,52]Lopes et al. [58]

performance Linked Datause case

Java, Jena GFAF datasets25

Kolovski et al. [56] policy reasoningContinue dataset

- Pellet

Li and Cheung [57] - - -Mühleisen et al. [60] enforcement performance

BSBM datasetdemo Joseki, Jena, Pellet

Oulmakhzoune et al. [64] discussion - -Papakonstantinou et al. [65] enforcement & reasoning

performance- PostgreSQL, MonetDB

Qin and Atluri [69] - - -Reddivari et al. [70] query performance - Java, Jena, RDQLRyutov et al. [72,73] - - JavaSacco et al. [77,78]Sacco and Passant [76]Sacco and Breslin [74]

enforcement performance mobileuse case

Java PPO Ontology26,PPM screencast27

Steyskal and Polleres [86,87] - Linked Datause case

-

Toninelli et al. [92,93] - - - Proteus framework28

Uszok et al. [95,96,97,99,98,94]Bradshaw et al. [11,12]Johnson et al. [45]Suri et al. [89]

- use cases Java KAoS framework29

forcement frameworks proposed by Costabello et al.[18], Kagal et al. [47], Sacco and Passant [75] and Us-zok et al. [95] are motivated by distributed uses cases.Although Steyskal and Polleres [86] present LinkedData use cases, the adaptation of current distributedquery processing techniques to cater for access controlover Linked Data has not be explored to date.

Flexibility & Extensibility [104,22,8]. The system

should be capable of handling frequent changes topolicies, user, access rights and resources. In addi-tion, in order to provide support for different scenar-ios and future enhancements, the enforcement frame-works should be flexible and extensible. As each ofthe access control strategies examined use one or moreopen standards (see Table 5), they are by design flex-ible and extensible. An overview of the technologiesused in each of the access control proposals examinedis presented in Table 8.


Fig. 6. Access Control Implementation

2002 2004 2006 2008 2010 2012 2014

Effectiveness

Use Case

Flexibility

Resources

query[70]

reasoning[43]

queries[

1], reasoning[56]

explanatio

n[8]

enforcement[3

][33][6

0],reaso

ning[31], discussi

on[64]

enforcement[7

5]

enforcement[1

8][65], rea

soning[65]

enforcement[5

2], reasoning[52]

usecas

e[47][9

5]

demo [8]

case stu

dy[3], demo[60]

usecas

e[75]

usecas

e[18], dem

o[18]

usecas

e[52]

usecas

e[86]

Java[9

5], Java, Prolog[47]

Java, Jen

a, RDQL[70]

Java, Jen

a, JessL[41], Pelle

t, SWRL [43], RDF, SPARQL[25]

Pellet[5

6], SeRQL, Protune[1

], Java, SeR

QL, Sesame[3

2]

Java[7

3], Java, TuProlog[8], Jen

a[14]

Prolog, GWT, Jena, JIP

, Protege[3

], Java, Jen

a, Seasam

e, Progress[3

1],

Java, Tomcat

, Sesame[3

3], Joseki, Jen

a, Pellet[6

0]

Java[7

5]

Java, Jen

a Fuseki, Cores

e-KGRAM[18], Postg

reSQL, MonetD

B[65]

Java, Jen

a[52]

framew

ork[95]

framew

ork[46][92]

ontology[74], manager[74]

ontology[20], manager[20], data

set[52]

Publication Year

Acc

ess

Con

trol

Impl

emen

tatio

n

6. Conclusions and Future Work

This paper provided an overview of relevant accesscontrol models (MAC, DAC, RBAC, VBAC, ABAC,CBAC) and standardisation efforts (XACML, WebID,WAC, P3P, APPEL, ODRL), and described how theyhave been either enhanced by/applied to RDF. A num-ber of well known policy languages, that adopt ontol-ogy based, rule based and combined ontology and rulebased access control enforcement mechanisms wereexamined in detail. Several different strategies thathave be used to specify access control over RDF (triplepatterns, views, named graphs and ontologies) and var-ious reasoning, filtering and query rewriting strate-gies were presented. Finally, a set of requirements forLinked Data, based on several papers that examine ac-cess control for RDF from a number of perspectives,were derived. These requirements were subsequentlyused to classify the various access control specifica-tion, enforcement and administration strategies thathave been proposed for RDF data.

Based on this analysis a number of gaps with respectto access control for Linked Data, which still need tobe addressed were identified:

Usability & Understandability. Access control ad-ministration in general, and over large datasets inparticular, can become extremely difficult to man-age. Access control policies may be composed ofauthorisations specified at multiple levels of gran-ularity. In addition, permissions may be inferredor propagated using different inferencing mecha-nisms, making the task of administration is evenmore cumbersome. An interesting avenue for fu-ture work, would be to investigate if graph baseddata clustering and visualisation techniques, suchas those proposed by [61], can be used to assistsystems administrators to examine the interplaybetween authorisations and rules, and also deter-mine the impact of new authorisations.

Explanations & Negotiation. The benefits associ-ated with explanations are two fold: (i) they al-low the requester to understand what is requiredof them and (ii) they enable the policy owner totroubleshoot potential issues with existing poli-


cies. However, when it comes to explanations inparticular and negotiation in general, there is afine line between usability and security. As such,different levels of detail may need to be relayedto the requester depending on the context. In or-der to devise guidelines for access control expla-nations, it would be beneficial to examine the dif-ferent reasons for access denial and the potentialsecurity impact associated with both single andmultiple explanations.

Effectiveness. In order to work in practice, bothaccess control enforcement and administrationneed to be effective from both a performancesand a correctness perspective. Although a num-ber of authors have conducted access control per-formances evaluations using the BSBM dataset,when it comes to access control for RDF datathere is currently no general access control bench-mark. In addition, there is a pressing need for gen-eral mechanisms that can be used to verify thecorrectness of proposed access control strategies.

References

[1] Fabian Abel, Juri Luca De Coi, Nicola Henze, Arne WolfKoesling, Daniel Krause, and Daniel Olmedilla. Enabling ad-vanced and context-dependent access control in RDF stores.In Karl Aberer, Key-Sun Choi, Natasha Fridman Noy, DeanAllemang, Kyung-Il Lee, Lyndon J. B. Nixon, Jennifer Gol-beck, Peter Mika, Diana Maynard, Riichiro Mizoguchi, GuusSchreiber, and Philippe Cudré-Mauroux, editors, The Seman-tic Web, 6th International Semantic Web Conference, 2ndAsian Semantic Web Conference, ISWC 2007 + ASWC 2007,Busan, Korea, November 11-15, 2007, volume 4825 of Lec-ture Notes in Computer Science, pages 1–14. Springer, 2007.doi:10.1007/978-3-540-76298-0_1.

[2] Jose M. Alcaraz Calero, Gregorio Martínez Pérez, andAntonio F. Gómez-Skarmeta. Towards an authorisationmodel for distributed systems based on the Semantic Web.IET Information Security, 4(4):411–421, December 2010.doi:10.1049/iet-ifs.2009.0260.

[3] Morteza Amini and Rasool Jalili. Multi-level authorisationmodel and framework for distributed semantic-aware environ-ments. IET Information Security, 4(4):301–321, December2010. doi:10.1049/iet-ifs.2009.0198.

[4] Jie Bao, Giora Slutzki, and Vasant Honavar. Privacy-preserving reasoning on the Semantic Web. In 2007 IEEE/ WIC / ACM International Conference on Web Intelligence,WI 2007, 2-5 November 2007, Silicon Valley, CA, USA, MainConference Proceedings, pages 791–797. IEEE ComputerSociety, 2007. doi:10.1109/WI.2007.83.

[5] Tim Berners-Lee, Richard Cyganiak, Michael Hausenblas,Joe Presbrey, Oshani Seneviratne, and Oana-Elena Ureche.Realising a read-write web of data. Technical Report,2009. Available at http://web.mit.edu/presbrey/Public/rw-wod.pdf.

[6] Elisa Bertino and Ravi S. Sandhu. Database security-concepts, approaches, and challenges. IEEE Trans.Dependable Sec. Comput., 2(1):2–19, January 2005.doi:10.1109/TDSC.2005.9.

[7] Piero A. Bonatti and Daniel Olmedilla. Driving and moni-toring provisional trust negotiation with metapolicies. In 6thIEEE International Workshop on Policies for Distributed Sys-tems and Networks (POLICY 2005), 6-8 June 2005, Stock-holm, Sweden, pages 14–23. IEEE Computer Society, June2005. doi:10.1109/POLICY.2005.13.

[8] Piero A. Bonatti and Daniel Olmedilla. Rule-based pol-icy representation and reasoning for the Semantic Web. InGrigoris Antoniou, Uwe Aßmann, Cristina Baroglio, StefanDecker, Nicola Henze, Paula-Lavinia Patranjan, and RobertTolksdorf, editors, Reasoning Web, Third International Sum-mer School 2007, Dresden, Germany, September 3-7, 2007,Tutorial Lectures, volume 4636 of Lecture Notes in ComputerScience, pages 240–268. Springer, 2007. doi:10.1007/978-3-540-74615-7_4.

[9] Piero A. Bonatti and Pierangela Samarati. Regulating ser-vice access and information release on the Web. In Dim-itris Gritzalis, Sushil Jajodia, and Pierangela Samarati, ed-itors, CCS 2000, Proceedings of the 7th ACM Conferenceon Computer and Communications Security, Athens, Greece,November 1-4, 2000, pages 134–143, New York, NY, USA,2000. ACM. doi:10.1145/352600.352620.

[10] Piero A. Bonatti, Juri Luca De Coi, Daniel Olmedilla,and Luigi Sauro. A rule-based trust negotiation system.IEEE Trans. Knowl. Data Eng., 22(11):1507–1520, 2010.doi:10.1109/TKDE.2010.83.

[11] Jeffrey M. Bradshaw, Stewart Dutfield, Pete Benoit, andJohn D. Woolley. KAoS: Toward an industrial-strength openagent architecture. In Jeffrey M. Bradshaw, editor, SoftwareAgents, pages 375–418. MIT Press, 1997. URL http://dl.acm.org/citation.cfm?id=267985.268008.

[12] Jeffrey M. Bradshaw, Andrzej Uszok, Renia Jeffers, Niran-jan Suri, Patrick J. Hayes, Mark H. Burstein, Alessandro Ac-quisti, Brett Benyo, Maggie R. Breedy, Marco M. Carvalho,David J. Diller, Matt Johnson, Shriniwas Kulkarni, JamesLott, Maarten Sierhuis, and Ron van Hoof. Representationand reasoning for DAML-based policy and domain servicesin KAoS and Nomads. In The Second International JointConference on Autonomous Agents & Multiagent Systems,AAMAS 2003, July 14-18, 2003, Melbourne, Victoria, Aus-tralia, Proceedings, pages 835–842, New York, NY, USA,2003. ACM. doi:10.1145/860575.860709.

[13] Elena Cabrio, Alessio Palmero Aprosio, and Serena Villata.These are your rights – A natural language processing ap-proach to automated RDF licenses generation. In ValentinaPresutti, Claudia d’Amato, Fabien Gandon, Mathieu d’Aquin,Steffen Staab, and Anna Tordai, editors, The Semantic Web:Trends and Challenges - 11th International Conference,ESWC 2014, Anissaras, Crete, Greece, May 25-29, 2014.Proceedings, volume 8465 of Lecture Notes in Computer Sci-ence, pages 255–269. Springer, 2014. doi:10.1007/978-3-319-07443-6_18.

[14] Willy Chen and Heiner Stuckenschmidt. A model-driven ap-proach to enable access control for ontologies. In Hans RobertHansen, Dimitris Karagiannis, and Hans-Georg Fill, editors,Business Services: Konzepte, Technologien, Anwendungen. 9.

http://web.mit.edu/presbrey/Public/rw-wod.pdf

http://web.mit.edu/presbrey/Public/rw-wod.pdf

http://dl.acm.org/citation.cfm?id=267985.268008

http://dl.acm.org/citation.cfm?id=267985.268008


Internationale Tagung Wirtschaftsinformatik 25.-27. Februar2009, Wien, volume 246 of [email protected], pages 663–672.Österreichische Computer Gesellschaft, 2009. URL http://aisel.aisnet.org/wi2009/65.

[15] Lorenzo Cirio, Isabel F. Cruz, and Roberto Tamassia. Arole and attribute based access control system using seman-tic web technologies. In Robert Meersman, Zahir Tari, andPilar Herrero, editors, On the Move to Meaningful Inter-net Systems 2007: OTM 2007 Workshops, OTM Confeder-ated International Workshops and Posters, AWeSOMe, CAMS,OTM Academy Doctoral Consortium, MONET, OnToContent,ORM, PerSys, PPN, RDDS, SSWS, and SWWS 2007, Vilam-oura, Portugal, November 25-30, 2007, Proceedings, Part II,volume 4806 of Lecture Notes in Computer Science, pages1256–1266. Springer, 2007. doi:10.1007/978-3-540-76890-6_53.

[16] Antonio Corradi, Rebecca Montanari, and Daniela Tibaldi.Context-based access control for ubiquitous service pro-visioning. In 28th International Computer Software andApplications Conference (COMPSAC 2004), Design andAssessment of Trustworthy Software-Based Systems, 27-30 September 2004, Hong Kong, China, Proceedings,pages 444–451. IEEE Computer Society, September 2004.doi:10.1109/CMPSAC.2004.1342877.

[17] Luca Costabello, Serena Villata, Nicolas Delaforge, and Fa-bien Gandon. Linked data access goes mobile: Context-aware authorization for graph stores. In Christian Bizer,Tom Heath, Tim Berners-Lee, and Michael Hausenblas, edi-tors, WWW2012 Workshop on Linked Data on the Web, Lyon,France, 16 April, 2012, volume 937 of CEUR Workshop Pro-ceedings. CEUR-WS.org, 2012. URL http://ceur-ws.org/Vol-937/ldow2012-paper-05.pdf.

[18] Luca Costabello, Serena Villata, and Fabien Gandon.Context-aware access control for RDF graph stores. InLuc De Raedt, Christian Bessière, Didier Dubois, Patrick Do-herty, Paolo Frasconi, Fredrik Heintz, and Peter J. F. Lucas,editors, ECAI 2012 - 20th European Conference on Artifi-cial Intelligence. Including Prestigious Applications of Arti-ficial Intelligence (PAIS-2012) System Demonstrations Track,Montpellier, France, August 27-31 , 2012, volume 242 ofFrontiers in Artificial Intelligence and Applications, pages282–287. IOS Press, 2012. doi:10.3233/978-1-61499-098-7-282.

[19] Luca Costabello, Serena Villata, Oscar Rodriguez Rocha,and Fabien Gandon. Access control for HTTP opera-tions on linked data. In Philipp Cimiano, Óscar Corcho,Valentina Presutti, Laura Hollink, and Sebastian Rudolph,editors, The Semantic Web: Semantics and Big Data, 10thInternational Conference, ESWC 2013, Montpellier, France,May 26-30, 2013. Proceedings, volume 7882 of LectureNotes in Computer Science, pages 185–199. Springer, 2013.doi:10.1007/978-3-642-38288-8_13.

[20] Luca Costabello, Serena Villata, Iacopo Vagliano, and Fa-bien Gandon. Assisted policy management for SPARQL end-points access control. In Eva Blomqvist and Tudor Groza,editors, Proceedings of the ISWC 2013 Posters & Demon-strations Track, Sydney, Australia, October 23, 2013, vol-ume 1035 of CEUR Workshop Proceedings, pages 33–36.CEUR-WS.org, 2013. URL http://ceur-ws.org/Vol-1035/iswc2013_demo_9.pdf.

[21] Lorrie Cranor, Marc Langheinrich, and Massimo Marchiori.A P3P Preference Exchange Language 1.0 (APPEL1.0). W3C

Working Draft, 15 April 2002. Available at https://www.w3.org/TR/P3P-preferences/.

[22] Ernesto Damiani, Sabrina De Capitani di Vimercati, andPierangela Samarati. New paradigms for access control inopen environments. In Proceedings of the Fifth IEEE Inter-national Symposium on Signal Processing and InformationTechnology, 2005, pages 540–545. IEEE, December 2005.doi:10.1109/ISSPIT.2005.1577155.

[23] Juri Luca De Coi, Philipp Kärger, Arne Wolf Koesling, andDaniel Olmedilla. Control your eLearning environment: Ex-ploiting policies in an open infrastructure for lifelong learn-ing. IEEE Transactions on Learning Technologies, 1(1):88–102, 2008. doi:10.1109/TLT.2008.11.

[24] Grit Denker, Lalana Kagal, and Tim Finin. Security in theSemantic Web using OWL. Inf. Sec. Techn. Report, 10(1):51–58, January 2005. doi:10.1016/j.istr.2004.11.002.

[25] Sebastian Dietzold and Sören Auer. Access control onRDF triple stores from a semantic wiki perspective. InChris Bizer, Sören Auer, and Libby Miller, editors, Proceed-ings of the ESWC’06 Workshop on Scripting for the Se-mantic Web, volume 181 of CEUR Workshop Proceedings.CEUR-WS.org, 2006. URL http://ceur-ws.org/Vol-181/paper3.pdf.

[26] Moussa Amir Ehsan, Morteza Amini, and Rasool Jalili. Asemantic-based access control mechanism using semantictechnologies. In Atilla Elçi, Oleg B. Makarevich, Mehmet A.Orgun, Alexander G. Chefranov, Josef Pieprzyk, Yuri Ana-tolievich Bryukhomitsky, and Siddika Berna Örs, editors,Proceedings of the 2nd International Conference on Securityof Information and Networks, SIN 2009, Gazimagusa, NorthCyprus, October 6-10, 2009, pages 258–267. ACM, 2009.doi:10.1145/1626195.1626259.

[27] Mark Evered and Serge Bögeholz. A case study in ac-cess control requirements for a health information system.In James M. Hogan, Paul Montague, Martin K. Purvis, andChris Steketee, editors, ACSW Frontiers 2004, 2004 ACSWWorkshops - the Australasian Information Security Workshop(AISW2004), the Australasian Workshop on Data Mining andWeb Intelligence (DMWI2004), and the Australasian Work-shop on Software Internationalisation (AWSI2004) . Dunedin,New Zealand, January 2004, volume 32 of CRPIT, pages53–61. Australian Computer Society, 2004. URL http://crpit.com/confpapers/CRPITV32Evered.pdf.

[28] Rodolfo Ferrini and Elisa Bertino. Supporting RBACwith XACML+OWL. In Barbara Carminati and JamesJoshi, editors, SACMAT 2009, 14th ACM Symposium onAccess Control Models and Technologies, Stresa, Italy,June 3-5, 2009, Proceedings, pages 145–154. ACM, 2009.doi:10.1145/1542207.1542231.

[29] Timothy Finin, Anupam Joshi, Lalana Kagal, JianweiNiu, Ravi Sandhu, William Winsborough, and BhavaniThuraisingham. Using OWL to model role based ac-cess control. Technical report, University of Maryland,Baltimore County, February 2008. Available at http://ebiquity.umbc.edu/paper/html/id/384/Using-OWL-to-Model-Role-Based-Access-Control.

[30] Timothy Finin, Anupam Joshi, Lalana Kagal, Jianwei Niu,Ravi Sandhu, William Winsborough, and Bhavani Thurais-ingham. ROWLBAC: representing role based access con-trol in OWL. In Indrakshi Ray and Ninghui Li, ed-

http://aisel.aisnet.org/wi2009/65

http://aisel.aisnet.org/wi2009/65

http://ceur-ws.org/Vol-937/ldow2012-paper-05.pdf

http://ceur-ws.org/Vol-937/ldow2012-paper-05.pdf

http://ceur-ws.org/Vol-1035/iswc2013_demo_9.pdf

http://ceur-ws.org/Vol-1035/iswc2013_demo_9.pdf

https://www.w3.org/TR/P3P-preferences/

https://www.w3.org/TR/P3P-preferences/

http://ceur-ws.org/Vol-181/paper3.pdf


http://crpit.com/confpapers/CRPITV32Evered.pdf

http://crpit.com/confpapers/CRPITV32Evered.pdf

http://ebiquity.umbc.edu/paper/html/id/384/Using-OWL-to-Model-Role-Based-Access-Control




itors, SACMAT 2008, 13th ACM Symposium on AccessControl Models and Technologies, Estes Park, CO, USA,June 11-13, 2008, Proceedings, pages 73–82. ACM, 2008.doi:10.1145/1377836.1377849.

[31] Giorgos Flouris, Irini Fundulaki, Maria Michou, and GrigorisAntoniou. Controlling access to RDF graphs. In Arne-JørgenBerre, Asunción Gómez-Pérez, Kurt Tutschku, and DieterFensel, editors, Future Internet - FIS 2010 - Third Future In-ternet Symposium, Berlin, Germany, September 20-22, 2010.Proceedings, volume 6369 of Lecture Notes in Computer Sci-ence, pages 107–117. Springer, 2010. doi:10.1007/978-3-642-15877-3_12.

[32] Stefano Franzoni, Pietro Mazzoleni, and Stefano Valtolina.Towards a fine-grained access control model and mechanismsfor semantic databases. In 2007 IEEE International Confer-ence on Web Services (ICWS 2007), July 9-13, 2007, Salt LakeCity, Utah, USA, pages 993–1000. IEEE Computer Society,2007. doi:10.1109/ICWS.2007.176.

[33] Alban Gabillon and Léo Letouzey. A view based access con-trol model for SPARQL. In Yang Xiang, Pierangela Samarati,Jiankun Hu, Wanlei Zhou, and Ahmad-Reza Sadeghi, editors,Fourth International Conference on Network and System Se-curity, NSS 2010, Melbourne, Victoria, Australia, September1-3, 2010, pages 105–112. IEEE Computer Society, 2010.doi:10.1109/NSS.2010.35.

[34] Diego Zuquim Guimarães Garcia and Maria Beatriz Felgarde Toledo. A web service privacy framework based on a pol-icy approach enhanced with ontologies. In Proceedings of the11th IEEE International Conference on Computational Sci-ence and Engineering - CSE Workshops 2008, pages 209–214. IEEE, July 2008. doi:10.1109/CSEW.2008.21.

[35] Rita Gavriloaie, Wolfgang Nejdl, Daniel Olmedilla, Kent E.Seamons, and Marianne Winslett. No registration needed:How to use declarative policies and negotiation to access sen-sitive resources on the Semantic Web. In Christoph Bus-sler, John Davies, Dieter Fensel, and Rudi Studer, editors, TheSemantic Web: Research and Applications, First EuropeanSemantic Web Symposium, ESWS 2004, Heraklion, Crete,Greece, May 10-12, 2004, Proceedings, volume 3053 of Lec-ture Notes in Computer Science, pages 342–356. Springer,2004. doi:10.1007/978-3-540-25956-5_24.

[36] Guido Governatori. Defeasible description logics. In GrigorisAntoniou and Harold Boley, editors, Rules and Rule MarkupLanguages for the Semantic Web: Third International Work-shop, RuleML 2004, Hiroshima, Japan, November 8, 2004.Proceedings, volume 3323 of Lecture Notes in Computer Sci-ence, pages 98–112. Springer, 2004. doi:10.1007/978-3-540-30504-0_8.

[37] Patricia P. Griffiths and Bradford W. Wade. An au-thorization mechanism for a relational database sys-tem. ACM Trans. Database Syst., 1(3):242–255, 1976.doi:10.1145/320473.320482.

[38] Tom Heath and Christian Bizer. Linked Data: Evolvingthe Web into a Global Data Space. Synthesis Lectures onthe Semantic Web. Morgan & Claypool Publishers, 2011.doi:10.2200/S00334ED1V01Y201102WBE001.

[39] James Hollenbach, Joe Presbrey, and Tim Berners-Lee. Us-ing RDF metadata to enable access control on the social se-mantic web. In Tania Tudorache, Gianluca Correndo, NatashaNoy, Harith Alani, and Mark Greaves, editors, Proceedingsof the Workshop on Collaborative Construction, Management

and Linking of Structured Knowledge (CK2009), collocatedwith the 8th International Semantic Web Conference (ISWC-2009), Washington D.C., USA, 25 October, 2009, volume 514of CEUR Workshop Proceedings. CEUR-WS.org, 2009. URLhttp://ceur-ws.org/Vol-514/paper3.pdf.

[40] Toby Inkster, Henry Story, Bruno Harbulot, and RetoBachmann-Gmür. WebID in relation to other tech-nologies. Unofficial Draft, 31 March 2016. Avail-able at http://bblfish.net/tmp/2010/08/05/webid-related.respec.html.

[41] Amit Jain and Csilla Farkas. Secure resource descriptionframework: An access control model. In David F. Ferraioloand Indrakshi Ray, editors, SACMAT 2006,11th ACM Sym-posium on Access Control Models and Technologies, LakeTahoe, California, USA, June 7-9, 2006, Proceedings, pages121–129. ACM, 2006. doi:10.1145/1133058.1133076.

[42] Sushil Jajodia, Pierangela Samarati, Maria Luisa Sapino, andV. S. Subrahmanian. Flexible support for multiple access con-trol policies. ACM Trans. Database Syst., 26(2):214–260,June 2001. doi:10.1145/383891.383894.

[43] Sara Javanmardi, Morteza Amini, and Rasool Jalili. An ac-cess control model for protecting semantic web resources. InPiero A. Bonatti, Li Ding, Tim Finin, and Daniel Olmedilla,editors, Proceedings of the ISWC’06 Workshop on SemanticWeb Policy (SWPW’06) Athens, Georgia, USA, November 5,2006, volume 207 of CEUR Workshop Proceedings, pages32–46. CEUR-WS.org, 2006. URL http://ceur-ws.org/Vol-207/paper03.pdf.

[44] Sara Javanmardi, Morteza Amini, Rasool Jalili, and YaserGanjisaffar. SBAC: "a semantic-based access control model".In Viiveke Fåk, editor, 11th Nordic Workshop on SecureIT-systems (NordSecâAZ06), Linköping, Sweden, volume 22,2006.

[45] Matt Johnson, P. Chang, Renia Jeffers, Jeffrey Bradshaw,Maggie Breedy, Larry Bunch, Shriniwas Kulkami, JamesLott, Niranjan Suri, Andrzej Uszok, and V.-W. Soo. KAoS se-mantic policy and domain services: An application of DAMLto web services-based grid architecture. In Lawrence Cave-don, Zakaria Maamar, David Martin, and Boualem Benatal-lah, editors, Extending Web Services Technologies: The Useof Multi-Agent Approaches, pages 119–138. Springer, 2004.doi:10.1007/0-387-23344-X_6.

[46] Lalana Kagal and Tim Berners-lee. Rein : Where poli-cies meet rules in the semantic web. Technical re-port, CSAIL, Massachusetts Institute of Technology, 2005.URL http://groups.csail.mit.edu/dig/2005/05/rein/rein-paper.pdf.

[47] Lalana Kagal, Timothy W. Finin, and Anupam Joshi. A pol-icy language for a pervasive computing environment. In 4thIEEE International Workshop on Policies for Distributed Sys-tems and Networks (POLICY 2003), 4-6 June 2003, LakeComo, Italy, pages 63–74. IEEE Computer Society, 2003.doi:10.1109/POLICY.2003.1206958.

[48] Lalana Kagal, Timothy W. Finin, and Anupam Joshi. A pol-icy based approach to security for the Semantic Web. InDieter Fensel, Katia P. Sycara, and John Mylopoulos, edi-tors, The Semantic Web - ISWC 2003, Second InternationalSemantic Web Conference, Sanibel Island, FL, USA, Oc-tober 20-23, 2003, Proceedings, volume 2870 of LectureNotes in Computer Science, pages 402–418. Springer, 2003.doi:10.1007/978-3-540-39718-2_26.


http://bblfish.net/tmp/2010/08/05/webid-related.respec.html

http://bblfish.net/tmp/2010/08/05/webid-related.respec.html



http://groups.csail.mit.edu/dig/2005/05/rein/rein-paper.pdf

http://groups.csail.mit.edu/dig/2005/05/rein/rein-paper.pdf


[49] Lalana Kagal, Tim Berners-Lee, Dan Connolly, and Daniel J.Weitzner. Using semantic web technologies for policy man-agement on the Web. In Proceedings, The Twenty-First Na-tional Conference on Artificial Intelligence and the Eigh-teenth Innovative Applications of Artificial Intelligence Con-ference, July 16-20, 2006, Boston, Massachusetts, USA, pages1337–1344. AAAI Press, 2006. URL http://www.aaai.org/Library/AAAI/2006/aaai06-210.php.

[50] Jaehoon Kim, Kangsoo Jung, and Seog Park. An introduc-tion to authorization conflict problem in RDF access control.In Ignac Lovrek, Robert J. Howlett, and Lakhmi C. Jain, edi-tors, Knowledge-Based Intelligent Information and Engineer-ing Systems, 12th International Conference, KES 2008, Za-greb, Croatia, September 3-5, 2008, Proceedings, Part II, vol-ume 5178 of Lecture Notes in Computer Science, pages 583–592. Springer, 2008. doi:10.1007/978-3-540-85565-1_72.

[51] Sabrina Kirrane, Nuno Lopes, Alessandra Mileo, and StefanDecker. Protect your RDF data! In Hideaki Takeda, YuzhongQu, Riichiro Mizoguchi, and Yoshinobu Kitamura, editors,Semantic Technology, Second Joint International Conference,JIST 2012, Nara, Japan, December 2-4, 2012. Proceedings,volume 7774 of Lecture Notes in Computer Science, pages81–96. Springer, 2012. doi:10.1007/978-3-642-37996-3_6.

[52] Sabrina Kirrane, Ahmed Abdelrahman, Alessandra Mileo,and Stefan Decker. Secure manipulation of linked data.In Harith Alani, Lalana Kagal, Achille Fokoue, Paul T.Groth, Chris Biemann, Josiane Xavier Parreira, Lora Aroyo,Natasha F. Noy, Chris Welty, and Krzysztof Janowicz, ed-itors, The Semantic Web - ISWC 2013 - 12th InternationalSemantic Web Conference, Sydney, NSW, Australia, October21-25, 2013, Proceedings, Part I, volume 8218 of LectureNotes in Computer Science, pages 248–263. Springer, 2013.doi:10.1007/978-3-642-41335-3_16.

[53] Sabrina Kirrane, Alessandra Mileo, and Stefan Decker. Ap-plying DAC principles to the RDF graph data model. InLech J. Janczewski, Henry B. Wolfe, and Sujeet Shenoi, ed-itors, Security and Privacy Protection in Information Pro-cessing Systems - 28th IFIP TC 11 International Conference,SEC 2013, Auckland, New Zealand, July 8-10, 2013. Pro-ceedings, volume 405 of IFIP Advances in Information andCommunication Technology, pages 69–82. Springer, 2013.doi:10.1007/978-3-642-39218-4_6.

[54] Naren Kodali, Csilla Farkas, and Duminda Wijesekera. Anauthorization model for multimedia digital libraries. Int. J. onDigital Libraries, 4(3):139–155, 2004. doi:10.1007/s00799-004-0080-1.

[55] Pranam Kolari, Li Ding, Shashidhara Ganjugunte, AnupamJoshi, Timothy W. Finin, and Lalana Kagal. Enhancingweb privacy protection through declarative policies. In 6thIEEE International Workshop on Policies for Distributed Sys-tems and Networks (POLICY 2005), 6-8 June 2005, Stock-holm, Sweden, pages 57–66. IEEE Computer Society, 2005.doi:10.1109/POLICY.2005.15.

[56] Vladimir Kolovski, James A. Hendler, and Bijan Parsia. An-alyzing web access control policies. In Carey L. Williamson,Mary Ellen Zurko, Peter F. Patel-Schneider, and Prashant J.Shenoy, editors, Proceedings of the 16th International Con-ference on World Wide Web, WWW 2007, Banff, Alberta,Canada, May 8-12, 2007, pages 677–686. ACM, 2007.doi:10.1145/1242572.1242664.

[57] Jian Li and William K. Cheung. Query rewriting for ac-cess control on Semantic Web. In Willem Jonker and Milan

Petkovic, editors, Secure Data Management, 5th VLDB Work-shop, SDM 2008, Auckland, New Zealand, August 24, 2008,Proceedings, volume 5159 of Lecture Notes in Computer Sci-ence, pages 151–168. Springer, 2008. doi:10.1007/978-3-540-85259-9_10.

[58] Nuno Lopes, Sabrina Kirrane, Antoine Zimmermann, AxelPolleres, and Alessandra Mileo. A logic programming ap-proach for access control over RDF. In Agostino Dovier andVítor Santos Costa, editors, Technical Communications of the28th International Conference on Logic Programming, ICLP2012, September 4-8, 2012, Budapest, Hungary, volume 17 ofLIPIcs, pages 381–392. Schloss Dagstuhl - Leibniz-Zentrumfuer Informatik, 2012. doi:10.4230/LIPIcs.ICLP.2012.381.

[59] Rebecca Montanari, Alessandra Toninelli, and Jeffrey M.Bradshaw. Context-based security management for multi-agent systems. In 2005 IEEE 2nd Symposium on Multi-AgentSecurity and Survivability, pages 75–84. IEEE, August 2005.doi:10.1109/MASSUR.2005.1507050.

[60] Hannes Mühleisen, Martin Kost, and Johann-Christoph Frey-tag. SWRL-based access policies for linked data. InPhilipp Kärger, Daniel Olmedilla, Alexandre Passant, andAxel Polleres, editors, Proceedings of the Second Work-shop on Trust and Privacy on the Social and Semantic Web(SPOT2010), volume 576 of CEUR Workshop Proceedings.CEUR-WS.org, 2010. URL http://CEUR-WS.org/Vol-576/paper1.pdf.

[61] Paul Mutton and Jennifer Golbeck. Visualization of seman-tic metadata and ontologies. In Ebad Banissi, Katy Börner,Chaomei Chen, Gordon Clapworthy, Carsten Maple, AmyLobben, Christopher J. Moore, Jonathan C. Roberts, AnnaUrsyn, and Jian Zhang, editors, Seventh International Confer-ence on Information Visualization, IV 2003, 16-18 July 2003,London, UK, pages 300–305. IEEE Computer Society, 2003.doi:10.1109/IV.2003.1217994.

[62] Azadeh Nematzadeh and Layla Pournajaf. Privacy concernsof semantic web. In Shahram Latifi, editor, Fifth Interna-tional Conference on Information Technology: New Gener-ations (ITNG 2008), 7-8 April 2008, Las Vegas, Nevada,USA, pages 1272–1273. IEEE Computer Society, 2008.doi:10.1109/ITNG.2008.138.

[63] Kieron O’Hara, Noshir S. Contractor, Wendy Hall, James A.Hendler, and Nigel Shadbolt. Web science: Understandingthe emergence of macro-level features on the world wideweb. Foundations and Trends in Web Science, 4(2-3):103–267, 2013. doi:10.1561/1800000017.

[64] Said Oulmakhzoune, Nora Cuppens-Boulahia, Frédéric Cup-pens, and Stephane Morucci. f query: SPARQL query rewrit-ing to enforce data confidentiality. In Sara Foresti and SushilJajodia, editors, Data and Applications Security and PrivacyXXIV, 24th Annual IFIP WG 11.3 Working Conference, Rome,Italy, June 21-23, 2010. Proceedings, volume 6166 of LectureNotes in Computer Science, pages 146–161. Springer, 2010.doi:10.1007/978-3-642-13739-6_10.

[65] Vassilis Papakonstantinou, Maria Michou, Irini Fundulaki,Giorgos Flouris, and Grigoris Antoniou. Access control forRDF graphs using abstract models. In Vijay Atluri, JaideepVaidya, Axel Kern, and Murat Kantarcioglu, editors, 17thACM Symposium on Access Control Models and Technolo-gies, SACMAT ’12, Newark, NJ, USA - June 20 - 22, 2012,pages 103–112. ACM, 2012. doi:10.1145/2295136.2295155.

http://www.aaai.org/Library/AAAI/2006/aaai06-210.php

http://www.aaai.org/Library/AAAI/2006/aaai06-210.php

http://CEUR-WS.org/Vol-576/paper1.pdf

http://CEUR-WS.org/Vol-576/paper1.pdf


[66] Torsten Priebe, Eduardo B. Fernández, Jens Ingo Mehlau, andGünther Pernul. A pattern system for access control. In CsillaFarkas and Pierangela Samarati, editors, Research Directionsin Data and Applications Security XVIII, IFIP TC11/WG 11.3Eighteenth Annual Conference on Data and Applications Se-curity, July 25-28, 2004, Sitges, Catalonia, Spain, volume 144of IFIP International Federation for Information Processing,pages 235–249. Kluwer/Springer, 2004. doi:0.1007/1-4020-8128-6_16.

[67] Torsten Priebe, Wolfgang Dobmeier, and Nora Kamprath.Supporting attribute-based access control with ontologies. InProceedings of the The First International Conference onAvailability, Reliability and Security, ARES 2006, The Inter-national Dependability Conference - Bridging Theory andPractice, April 20-22 2006, Vienna University of Technol-ogy, Austria, pages 465–472. IEEE Computer Society, 2006.doi:10.1109/ARES.2006.127.

[68] Torsten Priebe, Wolfgang Dobmeier, Christian Schläger,and Nora Kamprath. Supporting attribute-based accesscontrol in authorization and authentication infrastructureswith ontologies. Journal of Software, 2(1):27–38, 2007.doi:10.4304/jsw.2.1.27-38.

[69] Li Qin and Vijayalakshmi Atluri. Concept-level access con-trol for the Semantic Web. In Sushil Jajodia and MichiharuKudo, editors, Proceedings of the 2003 ACM Workshop onXML Security, Fairfax, VA, USA, October 31, 2003, pages 94–103. ACM, 2003. doi:10.1145/968559.968575.

[70] Pavan Reddivari, Tim Finin, and Anupam Joshi. Policy-basedaccess control for an RDF store. In Lalana Kagal, Tim Finin,and Jim Hendler, editors, Policy Management for the Web:A workshop held at the 14th International World Wide WebConference, Tuesday 10 May 2005, Chiba, Japan, pages 78–81, 2005.

[71] Erik Rissanen, editor. eXtensible Access ControlMarkup Language (XACML) Version 3.0. OA-SIS Standard, 22 January 2013. Available athttp://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html.

[72] Tatyana Ryutov, Tatiana Kichkaylo, Robert Neches, andMichael Orosz. SFINKS: Secure focused information, news,and knowledge sharing. In 2008 IEEE Conference on Tech-nologies for Homeland Security, pages 404–409. IEEE, May2008. doi:10.1109/THS.2008.4534486.

[73] Tatyana Ryutov, Tatiana Kichkaylo, and Robert Neches.Access control policies for semantic networks. In POL-ICY 2009, IEEE International Symposium on Policies forDistributed Systems and Networks, London, UK, 20-22July 2009, pages 150–157. IEEE Computer Society, 2009.doi:10.1109/POLICY.2009.11.

[74] Owen Sacco and John G. Breslin. PPO & PPM 2.0: Extend-ing the privacy preference framework to provide finer-grainedaccess control for the web of data. In Valentina Presutti andHelena Sofia Pinto, editors, I-SEMANTICS 2012 - 8th In-ternational Conference on Semantic Systems, I-SEMANTICS’12, Graz, Austria, September 5-7, 2012, pages 80–87. ACM,2012. doi:10.1145/2362499.2362511.

[75] Owen Sacco and Alexandre Passant. A Privacy PreferenceOntology (PPO) for Linked Data. In Christian Bizer, TomHeath, Tim Berners-Lee, and Michael Hausenblas, editors,WWW2011 Workshop on Linked Data on the Web, Hyder-

abad, India, March 29, 2011, volume 813 of CEUR Work-shop Proceedings. CEUR-WS.org, 2011. URL http://ceur-ws.org/Vol-813/ldow2011-paper01.pdf.

[76] Owen Sacco and Alexandre Passant. A privacy prefer-ence manager for the social semantic web. In Marcode Gemmis, Ernesto William De Luca, Tommaso Di Noia,Aldo Gangemi, Michael Hausenblas, Pasquale Lops, ThomasLukasiewicz, Till Plumbaum, and Giovanni Semeraro, edi-tors, Proceedings of the second Workshop on Semantic Per-sonalized Information Management: Retrieval and Recom-mendation 2011, Bonn, Germany, October 24, 2011, vol-ume 781 of CEUR Workshop Proceedings, pages 42–53.CEUR-WS.org, 2011. URL http://ceur-ws.org/Vol-781/paper6.pdf.

[77] Owen Sacco, Alexandre Passant, and Stefan Decker. An ac-cess control framework for the web of data. In IEEE 10thInternational Conference on Trust, Security and Privacy inComputing and Communications, TrustCom 2011, Changsha,China, 16-18 November, 2011, pages 456–463. IEEE Com-puter Society, 2011. doi:10.1109/TrustCom.2011.59.

[78] Owen Sacco, Matteo Collina, Gregor Schiele, Gio-vanni Emanuele Corazza, John G. Breslin, and ManfredHauswirth. Fine-grained access control for RDF data onmobile devices. In Xuemin Lin, Yannis Manolopoulos,Divesh Srivastava, and Guangyan Huang, editors, WebInformation Systems Engineering - WISE 2013 - 14thInternational Conference, Nanjing, China, October 13-15,2013, Proceedings, Part I, volume 8180 of Lecture Notesin Computer Science, pages 478–487. Springer, 2013.doi:10.1007/978-3-642-41230-1_40.

[79] Pierangela Samarati and Sabrina De Capitani di Vimercati.Access control: Policies, models, and mechanisms. In Ric-cardo Focardi and Roberto Gorrieri, editors, Foundations ofSecurity Analysis and Design, Tutorial Lectures [revised ver-sions of lectures given during the IFIP WG 1.7 Interna-tional School on Foundations of Security Analysis and De-sign, FOSAD 2000, Bertinoro, Italy, September 2000], vol-ume 2171 of Lecture Notes in Computer Science, pages 137–196. Springer, 2000. doi:10.1007/3-540-45608-2_3.

[80] Andrei Sambra and Stéphane Corlosquet, editors. WebID1.0: Web Identity and Discovery. W3C Editor’s Draft,05 March 2014. Available at https://www.w3.org/2005/Incubator/webid/spec/identity/.

[81] Ravi S. Sandhu and Pierangela Samarati. Access control:principle and practice. IEEE Communications Magazine, 32(9):40–48, September 1994. doi:10.1109/35.312842.

[82] Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein,and Charles E. Youman. Role-based access control: amulti-dimensional view. In 10th Annual Computer Se-curity Applications Conference, ACSAC 1994, 5-9 Decem-ber, 1994 Orlando, FL, USA, pages 54–62. IEEE, 1994.doi:10.1109/CSAC.1994.367293.

[83] Haibo Shen and Yu Cheng. A semantic context-based modelfor mobile web services access control. International Jour-nal of Computer Network and Information Security, 3(1):18–25, 2011. URL http://www.mecs-press.org/ijcnis/ijcnis-v3-n1/v3n1-3.html.

[84] Steve Speicher, John Arwe, and Ashok Malhotra, editors.Linked Data Platform 1.0. W3C Recommendation, 26February 2015. Available at https://www.w3.org/TR/ldp/.

http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

http://ceur-ws.org/Vol-813/ldow2011-paper01.pdf

http://ceur-ws.org/Vol-813/ldow2011-paper01.pdf



https://www.w3.org/2005/Incubator/webid/spec/identity/

https://www.w3.org/2005/Incubator/webid/spec/identity/

http://www.mecs-press.org/ijcnis/ijcnis-v3-n1/v3n1-3.html

http://www.mecs-press.org/ijcnis/ijcnis-v3-n1/v3n1-3.html

https://www.w3.org/TR/ldp/

https://www.w3.org/TR/ldp/


[85] Gerald Stermsek, Mark Strembeck, and Gustaf Neumann.Using subject-and object-specific attributes for access con-trol in web-based knowledge management systems. InProceedings of the Workshop on Secure Knowledge Man-agement (SKM), Amherst, NY, USA, September 2004,2004. URL http://nm.wu-wien.ac.at/home/mark/publications/skm04.pdf.

[86] Simon Steyskal and Axel Polleres. Defining expressive ac-cess policies for linked data using the ODRL ontology 2.0.In Harald Sack, Agata Filipowska, Jens Lehmann, and Se-bastian Hellmann, editors, Proceedings of the 10th Interna-tional Conference on Semantic Systems, SEMANTICS 2014,Leipzig, Germany, September 4-5, 2014, pages 20–23. ACM,2014. doi:10.1145/2660517.2660530.

[87] Simon Steyskal and Axel Polleres. Towards formal seman-tics for ODRL policies. In Nick Bassiliades, Georg Gott-lob, Fariba Sadri, Adrian Paschke, and Dumitru Roman, edi-tors, Rule Technologies: Foundations, Tools, and Applications- 9th International Symposium, RuleML 2015, Berlin, Ger-many, August 2-5, 2015, Proceedings, volume 9202 of Lec-ture Notes in Computer Science, pages 360–375. Springer,2015. doi:10.1007/978-3-319-21542-6_23.

[88] Henry Story, Stéphane Corlosquet, and Andrei Sambra, edi-tors. WebID-TLS: WebID Authentication over TLS. W3C Ed-itor’s Draft, 05 March 2014. Available at https://www.w3.org/2005/Incubator/webid/spec/tls/.

[89] Niranjan Suri, Jeffrey M. Bradshaw, Mark H. Burstein, An-drzej Uszok, Brett Benyo, Maggie R. Breedy, Marco M. Car-valho, David J. Diller, Renia Jeffers, Matt Johnson, ShriniwasKulkarni, and James Lott. DAML-based policy enforcementfor semantic data transformation and filtering in multi-agentsystems. In Vladimír Marík, Jörg P. Müller, and Michal Pe-choucek, editors, Multi-Agent Systems and Applications III,3rd International Central and Eastern European Conferenceon Multi-Agent Systems, CEEMAS 2003, Prague, Czech Re-public, June 16-18, 2003, Proceedings, volume 2691 of Lec-ture Notes in Computer Science, pages 122–135. Springer,2003. doi:10.1007/3-540-45023-8_13.

[90] The W3C Linked Data Platform Working Group. AccessControl, 2015. URL http://www.w3.org/2012/ldp/wiki/AccessControl.

[91] Bhavani M. Thuraisingham. Security and privacy for mul-timedia database management systems. Multimedia ToolsAppl., 33(1):13–29, 2007. doi:10.1007/s11042-006-0096-1.

[92] Alessandra Toninelli, Jeffrey Bradshaw, Lalana Kagal, andRebecca Montanari. Rule-based and ontology-based poli-cies: Toward a hybrid approach to control agents in perva-sive environments. In Lalana Kagal, Tim Finin, and JamesHendler, editors, Proceedings of the Semantic Web and Pol-icy Workshop, 4th International Semantic Web Conference, 7November, 2005, Galway, Ireland, pages 42–54, November2005. URL http://aisl.umbc.edu/resources/215.pdf#page=43.

[93] Alessandra Toninelli, Antonio Corradi, and Rebecca Monta-nari. A quality of context-aware approach to access control inpervasive environments. In Jean-Marie Bonnin, Carlo Gian-nelli, and Thomas Magedanz, editors, Mobile Wireless Mid-dleware, Operating Systems, and Applications, Second In-ternational Conference, Mobilware 2009, Berlin, Germany,April 28-29, 2009, Proceedings, volume 7 of Lecture Notesof the Institute for Computer Sciences, Social Informatics and

Telecommunications Engineering, pages 236–251. Springer,2009. doi:10.1007/978-3-642-01802-2_18.

[94] Andrzej Uszok, Jeffrey M. Bradshaw, Patrick Hayes, ReniaJeffers, Matt Johnson, Shriniwas Kulkarni, Maggie Breedy,James Lott, and Larry Bunch. DAML reality check: A casestudy of KAoS domain and policy services. Submitted tothe International Semantic Web Conference (ISWC 03).Available at http://xstar.ihmc.us/research/projects/KAoS/SemanticWeb03.pdf, 2003.

[95] Andrzej Uszok, Jeffrey M. Bradshaw, Renia Jeffers, Niran-jan Suri, Patrick J. Hayes, Maggie R. Breedy, Larry Bunch,Matt Johnson, Shriniwas Kulkarni, and James Lott. KAoSpolicy and domain services: Toward a description-logic ap-proach to policy representation, deconfliction, and enforce-ment. In 4th IEEE International Workshop on Policies forDistributed Systems and Networks (POLICY 2003), 4-6 June2003, Lake Como, Italy, page 93. IEEE Computer Society,2003. doi:10.1109/POLICY.2003.1206963.

[96] Andrzej Uszok, Jeffrey M. Bradshaw, and Renia Jeffers.Kaos: A policy and domain services framework for grid com-puting and semantic web services. In Christian DamsgaardJensen, Stefan Poslad, and Theodosis Dimitrakos, editors,Trust Management, Second International Conference, iTrust2004, Oxford, UK, March 29 - April 1, 2004, Proceedings,volume 2995 of Lecture Notes in Computer Science, pages16–26. Springer, 2004. doi:10.1007/978-3-540-24747-0_2.

[97] Andrzej Uszok, Jeffrey M. Bradshaw, Renia Jeffers, MatthewJohnson, and Austin Tate Jeff Dalton. Policy and contractmanagement for semantic web services. In Terry Payne, ed-itor, Semantic Web Services: Papers from the 2004 SpringSymposium, Technical Report SS-04-06. AAAI Press, 2004.URL http://www.aaai.org/Library/Symposia/Spring/2004/ss04-06-017.php.

[98] Andrzej Uszok, Jeffrey M. Bradshaw, Renia Jeffers, AustinTate, and Jeff Dalton. Applying KAoS services to ensurepolicy compliance for semantic web services workflow com-position and enactment. In Sheila A. McIlraith, DimitrisPlexousakis, and Frank van Harmelen, editors, The Seman-tic Web - ISWC 2004: Third International Semantic WebConference,Hiroshima, Japan, November 7-11, 2004. Pro-ceedings, volume 3298 of Lecture Notes in Computer Sci-ence, pages 425–440. Springer, 2004. doi:10.1007/978-3-540-30475-3_30.

[99] Andrzej Uszok, Jeffrey M. Bradshaw, Matt Johnson, ReniaJeffers, Austin Tate, Jeff Dalton, and J. Stuart Aitken. KAoSpolicy management for semantic web services. IEEE Intelli-gent Systems, 19(4):32–41, 2004. doi:10.1109/MIS.2004.31.

[100] Serena Villata, Nicolas Delaforge, Fabien Gandon, andAmelie Gyrard. An access control model for linked data.In Robert Meersman, Tharam S. Dillon, and Pilar Herrero,editors, On the Move to Meaningful Internet Systems: OTM2011 Workshops - Confederated International Workshopsand Posters: EI2N+NSF ICE, ICSP+INBAST, ISDE, ORM,OTMA, SWWS+MONET+SeDeS, and VADER 2011, Her-sonissos, Crete, Greece, October 17-21, 2011. Proceedings,volume 7046 of Lecture Notes in Computer Science, pages454–463. Springer, 2011. doi:10.1007/978-3-642-25126-9_57.

[101] W3C SPARQL Working Group. SPARQL 1.1 Overview.W3C Recommendation, 21 March 2013. Available at http://www.w3.org/TR/sparql11-overview/.

http://nm.wu-wien.ac.at/home/mark/publications/skm04.pdf

http://nm.wu-wien.ac.at/home/mark/publications/skm04.pdf

https://www.w3.org/2005/Incubator/webid/spec/tls/

https://www.w3.org/2005/Incubator/webid/spec/tls/

http://www.w3.org/2012/ldp/wiki/AccessControl

http://www.w3.org/2012/ldp/wiki/AccessControl

http://aisl.umbc.edu/resources/215.pdf#page=43

http://aisl.umbc.edu/resources/215.pdf#page=43

http://xstar.ihmc.us/research/projects/KAoS/SemanticWeb03.pdf

http://xstar.ihmc.us/research/projects/KAoS/SemanticWeb03.pdf

http://www.aaai.org/Library/Symposia/Spring/2004/ss04-06-017.php

http://www.aaai.org/Library/Symposia/Spring/2004/ss04-06-017.php

http://www.w3.org/TR/sparql11-overview/

http://www.w3.org/TR/sparql11-overview/


[102] Daniel J. Weitzner, Jim Hendler, Tim Berners-Lee, and DanConnolly. Creating a policy-aware web: Discretionary, rule-based access. In Elena Ferrari and Bhavani Thuraising-ham, editors, Web and Information Security, pages 1–31. IGIGlobal, 2006. doi:10.4018/978-1-59140-588-7.ch001.

[103] Di Wu, Jian Lin, Yabo Dong, and Miaoliang Zhu. Using se-mantic web technologies to specify constraints of RBAC. InSixth International Conference on Parallel and DistributedComputing, Applications and Technologies (PDCAT 2005),

5-8 December 2005, Dalian, China, pages 543–545. IEEEComputer Society, 2005. doi:10.1109/PDCAT.2005.247.

[104] Mariemma Inmaculada Yagüe del Valle, Antonio Mana,Javier Lopez, and José M. Troya. Applying the se-mantic web layers to access control. In 14th Interna-tional Workshop on Database and Expert Systems Appli-cations (DEXA’03), September 1-5, 2003, Prague, CzechRepublic, pages 622–626. IEEE Computer Society, 2003.doi:10.1109/DEXA.2003.1232091.

Access Control and the Resource Description Framework: A ...

Documents

Transcript of Access Control and the Resource Description Framework: A ...